Clear the firewall on Debian during systemd stop

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correctly handle expansion of option names
2017-03-15 13:01:24 -07:00 · 2017-03-15 11:47:54 -07:00 · 2017-03-15 11:36:47 -07:00 · 2017-01-07 16:20:38 -08:00 · 2017-01-07 16:20:26 -08:00 · 2016-12-27 16:35:58 -08:00
169 changed files with 9026 additions and 5201 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -365,12 +365,6 @@ fi
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
 # Install the CLI
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
 echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
 #
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
@@ -386,31 +380,6 @@ for f in lib.* ; do
    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done
 if [ $SHAREDIR != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 #
 # Install the Man Pages
 #
 if [ -n "$MANDIR" ]; then
    cd manpages
    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
    for f in *.8; do
 	gzip -9c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done
    cd ..
    echo "Man Pages Installed"
 fi
 #
 # Symbolically link 'functions' to lib.base
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,22 +20,412 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-# This library is a compatibility wrapper around lib.core.
+# This library contains the code common to all Shorewall components except the
 # generated scripts.
 #
-if [ -z "$PRODUCT" ]; then
+SHOREWALL_LIBVERSION=40509
 [ -n "${g_program:=shorewall}" ]
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc
-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
-    if [ -z "$SHOREWALL_LIBVERSION" ]; then
+g_basedir=${SHAREDIR}/shorewall
-	. ${g_basedir}/lib.core
+
 case $g_program in
    shorewall)
 	g_product="Shorewall"
 	g_family=4
 	g_tool=iptables
 	g_lite=
 	;;
    shorewall6)
 	g_product="Shorewall6"
 	g_family=6
 	g_tool=ip6tables
 	g_lite=
 	;;
    shorewall-lite)
 	g_product="Shorewall Lite"
 	g_family=4
 	g_tool=iptables
 	g_lite=Yes
 	;;
    shorewall6-lite)
 	g_product="Shorewall6 Lite"
 	g_family=6
 	g_tool=ip6tables
 	g_lite=Yes
 	;;
 esac
 if [ -z "${VARLIB}" ]; then
    VARLIB=${VARDIR}
    VARDIR=${VARLIB}/$g_program
 elif [ -z "${VARDIR}" ]; then
    VARDIR="${VARLIB}/${PRODUCT}"
 fi
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 2
 }
 #
 # Not configured Error
 #
 not_configured_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 6
 }
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 #
 # Undo the effect of 'separate_list()'
 #
 combine_list()
 {
    local f
    local o
    o=
    for f in $* ; do
        o="${o:+$o,}$f"
    done
    echo $o
 }
 #
 # Validate an IP address
 #
 valid_address() {
    local x
    local y
    local ifs
    ifs=$IFS
    IFS=.
    for x in $1; do
 	case $x in
 	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
 		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
                ;;
 	    *)
 	        IFS=$ifs
 		return 2
 		;;
 	esac
    done
    IFS=$ifs
    return 0
 }
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
 addr_comp() {
    test $(bc <<EOF
 $1 > $2
 EOF
 ) -eq 1
 }
 #
 # Enumerate the members of an IP range -- When using a shell supporting only
 # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
 #
 # Comes in two flavors:
 #
 # ip_range() - produces a mimimal list of network/host addresses that spans
 #              the range.
 #
 # ip_range_explicit() - explicitly enumerates the range.
 #
 ip_range() {
    local first
    local last
    local l
    local x
    local y
    local z
    local vlsm
    case $1 in
 	!*)
 	    #
 	    # Let iptables complain if it's a range
 	    #
 	    echo $1
 	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
 	    echo $1
 	    return
 	    ;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
-    set_default_product
+    l=$(( $last + 1 ))
-    setup_product_environment
+    while addr_comp $l $first; do
-fi
+	vlsm=
 	x=31
 	y=2
 	z=1
 	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
 	    vlsm=/$x
 	    x=$(( $x - 1 ))
 	    z=$y
 	    y=$(( $y * 2 ))
 	done
 	echo $(encodeaddr $first)$vlsm
 	first=$(($first + $z))
    done
 }
 ip_range_explicit() {
    local first
    local last
    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
 	;;
    *)
 	echo $1
 	return
 	;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    while ! addr_comp $first $last; do
 	echo $(encodeaddr $first)
 	first=$(($first + 1))
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Netmask to VLSM
 #
 ip_vlsm() {
    local mask
    mask=$(decodeaddr $1)
    local vlsm
    vlsm=0
    local x
    x=$(( 128 << 24 )) # 0x80000000
    while [ $(( $x & $mask )) -ne 0 ]; do
 	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
 	vlsm=$(($vlsm + 1))
    done
    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
 	echo "Invalid net mask: $1" >&2
    else
 	echo $vlsm
    fi
 }
 #
 # Set default config path
 #
 ensure_config_path() {
    local F
    F=${g_sharedir}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
    fi
    if [ -n "$g_shorewalldir" ]; then
 	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }
 #
 # Get fully-qualified name of file
 #
 resolve_file() # $1 = file name
 {
    local pwd
    pwd=$PWD
    case $1 in
 	/*)
 	    echo $1
 	    ;;
 	.)
 	    echo $pwd
 	    ;;
 	./*)
 	    echo ${pwd}${1#.}
 	    ;;
 	..)
 	    cd ..
 	    echo $PWD
 	    cd $pwd
 	    ;;
 	../*)
 	    cd ..
 	    resolve_file ${1#../}
 	    cd $pwd
 	    ;;
 	*)
 	    echo $pwd/$1
 	    ;;
    esac
 }
 #
 # Determine how to do "echo -e"
 #
 find_echo() {
    local result
    result=$(echo "a\tb")
    [ ${#result} -eq 3 ] && { echo echo; return; }
    result=$(echo -e "a\tb")
    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
    result=$(which echo)
    [ -n "$result" ] && { echo "$result -e"; return; }
    echo echo
 }
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp
 #     BSD  - BSD mktemp (Mandrake)
 #     STD  - mktemp.org mktemp
 #
 find_mktemp() {
    local mktemp
    mktemp=`mywhich mktemp 2> /dev/null`
    if [ -n "$mktemp" ]; then
 	if qt mktemp -V ; then
 	    MKTEMP=STD
 	else
 	    MKTEMP=BSD
 	fi
    else
 	MKTEMP=None
    fi
 }
 #
 # create a temporary file. If a directory name is passed, the file will be created in
 # that directory. Otherwise, it will be created in a temporary directory.
 #
 mktempfile() {
    [ -z "$MKTEMP" ] && find_mktemp
    if [ $# -gt 0 ]; then
 	case "$MKTEMP" in
 	    BSD)
 		mktemp $1/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -p $1 shorewall.XXXXXX
 		;;
 	    None)
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    else
 	case "$MKTEMP" in
 	    BSD)
 		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
 		rm -f ${TMPDIR:-/tmp}/shorewall-$$
 		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    fi
 }
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,18 +25,22 @@
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=50100
+SHOREWALL_CAPVERSION=50004
-if [ -z "$g_basedir" ]; then
+[ -n "${g_program:=shorewall}" ]
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc
-    g_basedir=${SHAREDIR}/shorewall
+    g_sharedir="$SHAREDIR"/$g_program
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
-. ${g_basedir}/lib.core
+. ${SHAREDIR}/shorewall/lib.base
 #
 # Issue an error message and die
@@ -78,6 +82,29 @@ showchain() # $1 = name of chain
    fi
 }
 #
 # The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
 #
 iptablesbug()
 {
    if [ $g_family -eq 4 ]; then
 	if qt mywhich awk ; then
 	    awk 'BEGIN           { sline=""; };\
             /^-[jg]/            { print sline $0; next };\
             /-m policy.*-[jg] / { print $0; next };\
             /-m policy/         { sline=$0; next };\
             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
                                 { print ; sline="" }'
        else
 	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
 	    cat
 	fi
    else
 	cat
    fi
 }
 #
 # Validate the value of RESTOREFILE
 #
@@ -368,13 +395,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"
-	    printf '\a'
+	    $g_ring_bell
 	    packet_log 40
 	    if [ "$pause" = "Yes" ]; then
 		echo
-		printf 'Enter any character to continue: '
+		echo $g_echo_n 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -984,6 +1011,13 @@ show_raw() {
    $g_tool -t raw -L $g_ipt_options | $output_filter
 }
 show_rawpost() {
    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
    echo
    show_reset
    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 }
 show_mangle() {
    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
    echo
@@ -1127,47 +1161,10 @@ show_macros() {
    done
 }
 show_an_action() {
    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
    cat ${directory}/action.$1
 }
 show_a_macro() {
    echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
    cat ${directory}/macro.$1
 }
 #
 # Don't dump empty SPD entries
 #
 spd_filter()
 {
    awk \
    'BEGIN            { skip=0; }; \
    /^src/            { skip=0; }; \
    /^src 0.0.0.0\/0/ { skip=1; }; \
    /^src ::\/0/      { skip=1; }; \
                      { if ( skip == 0 ) print; };'
 }
 #
 # Print a heading with leading and trailing black lines
 #
 heading() {
    echo
    echo "$@"
    echo
 }
 show_ipsec() {
    heading "PFKEY SPD"
    $IP -s xfrm policy | spd_filter
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
 }
 show_ipsec_command() {
    echo "$g_product $SHOREWALL_VERSION IPSEC at $g_hostname - $(date)"
    show_ipsec
 }
 #
 # Show Command Executor
@@ -1189,10 +1186,10 @@ show_command() {
 	if [ -n "$foo" ]; then
 	    macro=${macro#*.}
 	    foo=${foo%.*}
-	    if [ ${#macro} -gt 5 ]; then
+	    if [ ${#macro} -gt 10 ]; then
-		printf "  $macro\t${foo#\#}\n"
+		echo "   $macro  ${foo#\#}"
 	    else
-		printf "  $macro\t\t${foo#\#}\n"
+		$g_echo_e "   $macro  \t${foo#\#}"
 	    fi
 	fi
    }
@@ -1239,7 +1236,7 @@ show_command() {
 			    [ $# -eq 1 ] && missing_option_value -t
 			    case $2 in
-				mangle|nat|filter|raw)
+				mangle|nat|filter|raw|rawpost)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -1293,6 +1290,10 @@ show_command() {
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_rawpost $g_pager
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
@@ -1360,14 +1361,14 @@ show_command() {
 		echo "LIBEXEC=${LIBEXECDIR}"
 		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR=${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
-		echo "Default VARDIR is /var/lib/$PRODUCT"
+		echo "Default VARDIR is /var/lib/$g_program"
 		echo "LIBEXEC is ${LIBEXECDIR}"
 		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
-		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR is ${VARDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
 	chain)
@@ -1430,45 +1431,18 @@ show_command() {
 		$g_tool -t filter -L dynamic $g_ipt_options  | fgrep ACCEPT | $output_filter
 	    fi
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipsec_command $g_pager
 	    ;;
 	*)
-	    case "$PRODUCT" in
+	    case "$g_program" in
 		*-lite)
 		    ;;
 	    	*)
 		    case $1 in
 			action)
 			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
 			    [ $# -gt 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/action.$2 ]; then
 				    eval show_an_action $2 $g_pager
 				    return
 				fi
 			    done
 			    case $2 in
 				allowBcast|dropBcast|dropNotSyn|rejNotSyn|allowinUPnp|forwardUPnP|Limit)
 				    echo "   WARNING: $2 is a built-in action" >&2
 				    ;;
 				*)
 				    echo "   WARNING: Action $2 not found" >&2
 				    ;;
 			    esac
 			    return
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
 			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
@@ -1609,6 +1583,19 @@ show_status() {
 }
 #
 # Don't dump empty SPD entries
 #
 spd_filter()
 {
    awk \
    'BEGIN            { skip=0; }; \
    /^src/            { skip=0; }; \
    /^src 0.0.0.0\/0/ { skip=1; }; \
    /^src ::\/0/      { skip=1; }; \
                      { if ( skip == 0 ) print; };'
 }
 #
 # Dump Command Executor
 #
@@ -1704,6 +1691,11 @@ do_dump_command() {
 	$g_tool -t raw -L $g_ipt_options
    fi
    if qt $g_tool -t rawpost -L -n; then
 	heading "Rawpost Table"
 	$g_tool -t rawpost -L $g_ipt_options
    fi
    local count
    local max
@@ -1754,7 +1746,10 @@ do_dump_command() {
    heading "Events"
    show_events
-    show_ipsec
+    heading "PFKEY SPD"
    $IP -s xfrm policy | spd_filter
    heading "PFKEY SAD"
    $IP -s -$g_family xfrm state | egrep -v '[[:space:]]+(auth-trunc|enc )' # Don't divulge the keys
    heading "/proc"
    show_proc /proc/version
@@ -1954,6 +1949,15 @@ read_yesno_with_timeout() {
    fi
 }
 #
 # Print a heading with leading and trailing black lines
 #
 heading() {
    echo
    echo "$@"
    echo
 }
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2754,6 +2758,7 @@ determine_capabilities() {
    CONNMARK_MATCH=
    XCONNMARK_MATCH=
    RAW_TABLE=
    RAWPOST_TABLE=
    IPP2P_MATCH=
    OLD_IPP2P_MATCH=
    LENGTH_MATCH=
@@ -2809,8 +2814,6 @@ determine_capabilities() {
    IFACE_MATCH=
    TCPMSS_TARGET=
    WAIT_OPTION=
    CPU_FANOUT=
    NETMAP_TARGET=
    AMANDA_HELPER=
    FTP_HELPER=
@@ -2845,10 +2848,8 @@ determine_capabilities() {
 	if qt $g_tool -t nat -N $chain; then
 	    if [ $g_family -eq 4 ]; then
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
 		qt $g_tool -t nat -A $chain -j NETMAP --to 1.2.3.0/24 && NETMAP_TARGET=Yes
 	    else
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
@@ -3008,6 +3009,7 @@ determine_capabilities() {
    fi
    qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
    if [ -n "$RAW_TABLE" ]; then
 	qt $g_tool -t raw -F $chain
@@ -3109,12 +3111,7 @@ determine_capabilities() {
 	qt $g_tool -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi
-
+    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    if qt $g_tool -A $chain -j NFQUEUE --queue-num 4; then
 	NFQUEUE_TARGET=Yes
 	qt $g_tool -A $chain -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout && CPU_FANOUT=Yes
    fi
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    #
@@ -3233,6 +3230,7 @@ report_capabilities_unsorted() {
    report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
    [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
    report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
    report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
    report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
    [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
    report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
@@ -3311,8 +3309,6 @@ report_capabilities_unsorted() {
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
    report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
    report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3362,6 +3358,7 @@ report_capabilities_unsorted1() {
    report_capability1 CONNMARK_MATCH
    report_capability1 XCONNMARK_MATCH
    report_capability1 RAW_TABLE
    report_capability1 RAWPOST_TABLE
    report_capability1 IPP2P_MATCH
    report_capability1 OLD_IPP2P_MATCH
    report_capability1 CLASSIFY_TARGET
@@ -3417,8 +3414,6 @@ report_capabilities_unsorted1() {
    report_capability1 IFACE_MATCH
    report_capability1 TCPMSS_TARGET
    report_capability1 WAIT_OPTION
    report_capability1 CPU_FANOUT
    report_capability1 NETMAP_TARGET
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -3890,7 +3885,7 @@ get_config() {
    ensure_config_path
-    config=$(find_file ${PRODUCT}.conf)
+    config=$(find_file ${g_program}.conf)
    if [ -f $config ]; then
 	if [ -r $config ]; then
@@ -4296,7 +4291,6 @@ usage() # $1 = exit status
    echo "   savesets"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    ecko "   [ show | list | ls ] actions"
    ecko "   [ show | list | ls ] action <action>"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@@ -4312,9 +4306,8 @@ usage() # $1 = exit status
 	echo "   [ show | list | ls ] ipa"
    fi
    echo "   [ show | list | ls ] ipsec"
    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
-    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
    ecko "   [ show | list | ls ] macro <macro>"
    ecko "   [ show | list | ls ] macros"
    echo "   [ show | list | ls ] nfacct"
@@ -4343,7 +4336,7 @@ usage() # $1 = exit status
 #
 # This is the main entry point into the CLI. It directly handles all commands supported
 # by both the full and lite versions. Note, however, that functions such as start_command()
-# appear in both this library and in lib.cli-std. The ones in cli-std overload the ones
+# appear in both this library and it lib.cli-std. The ones in cli-std overload the ones
 # here if that lib is loaded below.
 #
 shorewall_cli() {
@@ -4391,18 +4384,13 @@ shorewall_cli() {
    VERBOSE=
    VERBOSITY=1
-    #
+
-    # Set the default product based on the Shorewall packages installed
+    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
    #
    set_default_product
    finished=0
    while [ $finished -eq 0 ]; do
-	if [ $# -eq 0 ]; then
+	[ $# -eq 0 ] && usage 1
 	    setup_product_environment 1
 	    usage 1
 	fi
 	option=$1
 	case $option in
 	    -)
@@ -4491,30 +4479,7 @@ shorewall_cli() {
 			    g_nopager=Yes
 			    option=${option#p}
 			    ;;
-			6*)
+
 			    if [ "$PRODUCT" = shorewall ]; then
 				PRODUCT=shorewall6
 			    elif [ "$PRODUCT" = shorewall-lite ]; then
 				PRODUCT=shorewall6-lite
 			    fi
 			    option=${option#6}
 			    ;;
 			4*)
 			    if [ "$PRODUCT" = shorewall6 ]; then
 				PRODUCT=shorewall
 			    elif [ "$PRODUCT" = shorewall6-lite ]; then
 				PRODUCT=shorewall-lite
 			    fi
 			    option=${option#4}
 			    ;;
 			l*)
 			    if [ "$PRODUCT" = shorewall ]; then
 				PRODUCT=shorewall-lite
 			    elif [ "$PRODUCT" = shorewall6 ]; then
 				PRODUCT=shorewall6-lite
 			    fi
 			    option=${option#l}
 			    ;;
 			-)
 			    finished=1
 			    option=
@@ -4532,16 +4497,16 @@ shorewall_cli() {
 	esac
    done
-    setup_product_environment 1
+    if [ $# -eq 0 ]; then
-
+	usage 1
-   [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std
+    fi
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=
    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir
-    [ -n "${VARDIR:=/var/lib/$PRODUCT}" ]
+    [ -n "${VARDIR:=/var/lib/$g_program}" ]
    g_firewall=${VARDIR}/firewall
@@ -4556,6 +4521,26 @@ shorewall_cli() {
    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
    case $(echo -e) in
 	-e*)
 	    g_ring_bell="echo \a"
 	    g_echo_e="echo"
 	    ;;
 	*)
 	    g_ring_bell="echo -e \a"
 	    g_echo_e="echo -e"
 	    ;;
    esac
    case $(echo -n "Testing") in
 	-n*)
 	    g_echo_n=
 	    ;;
 	*)
 	    g_echo_n=-n
 	    ;;
    esac
    COMMAND=$1
    case "$COMMAND" in
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -1,440 +0,0 @@
 #
 # Shorewall 5.0 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components except the
 # generated scripts.
 #
 SHOREWALL_LIBVERSION=50100
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 2
 }
 setup_product_environment() { # $1 = if non-empty, source shorewallrc again now that we have the correct product
    g_basedir=${SHAREDIR}/shorewall
    g_sharedir="$SHAREDIR"/$PRODUCT
    g_confdir="$CONFDIR"/$PRODUCT
    case $PRODUCT in
 	shorewall)
 	    g_product="Shorewall"
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=
 	    ;;
 	shorewall6)
 	    g_product="Shorewall6"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=
 	    ;;
 	shorewall-lite)
 	    g_product="Shorewall Lite"
 	    g_family=4
 	    g_tool=iptables
 	    g_lite=Yes
 	    ;;
 	shorewall6-lite)
 	    g_product="Shorewall6 Lite"
 	    g_family=6
 	    g_tool=ip6tables
 	    g_lite=Yes
 	    ;;
 	*)
 	    fatal_error "Unknown PRODUCT ($PRODUCT)"
 	    ;;
    esac
    [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system"
    #
    # We need to do this again, now that we have the correct product
    #
    [ -n "$1" ] && . ${g_basedir}/shorewallrc
    if [ -z "${VARLIB}" ]; then
 	VARLIB=${VARDIR}
 	VARDIR=${VARLIB}/${PRODUCT}
    elif [ -z "${VARDIR}" ]; then
 	VARDIR="${VARLIB}/${PRODUCT}"
    fi
 }
 set_default_product() {
    case $(basename $0) in
 	shorewall6)
 	    PRODUCT=shorewall6
 	    ;;
 	shorewall4)
 	    PRODUCT=shorewall
 	    ;;
 	shorewall-lite)
 	    PRODUCT=shorewall-lite
 	    ;;
 	shorewall6-lite)
 	    PRODUCT=shorewall6-lite
 	    ;;
 	*)
 	    if [ -f ${g_basedir}/version ]; then
 		PRODUCT=shorewall
 	    elif [ -f ${SHAREDIR}/shorewall-lite/version ]; then
 		PRODUCT=shorewall-lite
 	    elif [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
 		PRODUCT=shorewall6-lite
 	    else
 		fatal_error "No Shorewall firewall product is installed"
 	    fi
 	    ;;
    esac
 }
 # Not configured Error
 #
 not_configured_error() # $@ = Message
 {
    echo "   ERROR: $@" >&2
    exit 6
 }
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
 #
 # Undo the effect of 'separate_list()'
 #
 combine_list()
 {
    local f
    local o
    o=
    for f in $* ; do
        o="${o:+$o,}$f"
    done
    echo $o
 }
 #
 # Validate an IP address
 #
 valid_address() {
    local x
    local y
    local ifs
    ifs=$IFS
    IFS=.
    for x in $1; do
 	case $x in
 	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
 		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
                ;;
 	    *)
 	        IFS=$ifs
 		return 2
 		;;
 	esac
    done
    IFS=$ifs
    return 0
 }
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
 addr_comp() {
    test $(bc <<EOF
 $1 > $2
 EOF
 ) -eq 1
 }
 #
 # Enumerate the members of an IP range -- When using a shell supporting only
 # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
 #
 # Comes in two flavors:
 #
 # ip_range() - produces a mimimal list of network/host addresses that spans
 #              the range.
 #
 # ip_range_explicit() - explicitly enumerates the range.
 #
 ip_range() {
    local first
    local last
    local l
    local x
    local y
    local z
    local vlsm
    case $1 in
 	!*)
 	    #
 	    # Let iptables complain if it's a range
 	    #
 	    echo $1
 	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
 	    echo $1
 	    return
 	    ;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    l=$(( $last + 1 ))
    while addr_comp $l $first; do
 	vlsm=
 	x=31
 	y=2
 	z=1
 	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
 	    vlsm=/$x
 	    x=$(( $x - 1 ))
 	    z=$y
 	    y=$(( $y * 2 ))
 	done
 	echo $(encodeaddr $first)$vlsm
 	first=$(($first + $z))
    done
 }
 ip_range_explicit() {
    local first
    local last
    case $1 in
    [0-9]*.*.*.*-*.*.*.*)
 	;;
    *)
 	echo $1
 	return
 	;;
    esac
    first=$(decodeaddr ${1%-*})
    last=$(decodeaddr ${1#*-})
    if addr_comp $first $last; then
 	fatal_error "Invalid IP address range: $1"
    fi
    while ! addr_comp $first $last; do
 	echo $(encodeaddr $first)
 	first=$(($first + 1))
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Netmask to VLSM
 #
 ip_vlsm() {
    local mask
    mask=$(decodeaddr $1)
    local vlsm
    vlsm=0
    local x
    x=$(( 128 << 24 )) # 0x80000000
    while [ $(( $x & $mask )) -ne 0 ]; do
 	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
 	vlsm=$(($vlsm + 1))
    done
    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
 	echo "Invalid net mask: $1" >&2
    else
 	echo $vlsm
    fi
 }
 #
 # Set default config path
 #
 ensure_config_path() {
    local F
    F=${g_sharedir}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
    fi
    if [ -n "$g_shorewalldir" ]; then
 	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }
 #
 # Get fully-qualified name of file
 #
 resolve_file() # $1 = file name
 {
    local pwd
    pwd=$PWD
    case $1 in
 	/*)
 	    echo $1
 	    ;;
 	.)
 	    echo $pwd
 	    ;;
 	./*)
 	    echo ${pwd}${1#.}
 	    ;;
 	..)
 	    cd ..
 	    echo $PWD
 	    cd $pwd
 	    ;;
 	../*)
 	    cd ..
 	    resolve_file ${1#../}
 	    cd $pwd
 	    ;;
 	*)
 	    echo $pwd/$1
 	    ;;
    esac
 }
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 #
 #     None - No mktemp
 #     BSD  - BSD mktemp (Mandrake)
 #     STD  - mktemp.org mktemp
 #
 find_mktemp() {
    local mktemp
    mktemp=`mywhich mktemp 2> /dev/null`
    if [ -n "$mktemp" ]; then
 	if qt mktemp -V ; then
 	    MKTEMP=STD
 	else
 	    MKTEMP=BSD
 	fi
    else
 	MKTEMP=None
    fi
 }
 #
 # create a temporary file. If a directory name is passed, the file will be created in
 # that directory. Otherwise, it will be created in a temporary directory.
 #
 mktempfile() {
    [ -z "$MKTEMP" ] && find_mktemp
    if [ $# -gt 0 ]; then
 	case "$MKTEMP" in
 	    BSD)
 		mktemp $1/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -p $1 shorewall.XXXXXX
 		;;
 	    None)
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    else
 	case "$MKTEMP" in
 	    BSD)
 		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
 		rm -f ${TMPDIR:-/tmp}/shorewall-$$
 		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
 		;;
 	esac
    fi
 }
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -81,6 +81,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall compile
+	    ${SBINDIR}/$PRODUCT compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -33,11 +33,9 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ ! -x $STATEDIR/firewall ]; then
+    if [ ! -x "$STATEDIR/firewall" ]; then
-	if [ $PRODUCT = shorewall ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
-	    ${SBINDIR}/shorewall compile
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -31,10 +31,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/shorewall compile
+	    ${SBINDIR}/$PRODUCT compile
 	elif [ $PRODUCT = shorewall6 ]; then
 	    ${SBINDIR}/shorewall -6 compile
 	fi
    fi
 }
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -73,10 +73,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall compile
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -104,7 +102,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
@@ -125,7 +123,7 @@ shorewall_start () {
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      printf "Restoring ipsets: "
+      echo -n "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
@@ -142,7 +140,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -44,10 +44,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
-	${SBINDIR}/shorewall compile
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -64,7 +62,7 @@ start () {
 	return 6 #Not configured
    fi
-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	setstatedir
@@ -99,7 +97,7 @@ stop () {
    local PRODUCT
    local STATEDIR
-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	setstatedir
--- a/Shorewall-init/init.openwrt.sh
+++ b/Shorewall-init/init.openwrt.sh
@@ -75,10 +75,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall compile
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -89,7 +87,7 @@ start () {
    local PRODUCT
  local STATEDIR
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -114,7 +112,7 @@ stop () {
    local PRODUCT
    local STATEDIR
-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -81,7 +81,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
@@ -104,7 +104,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -79,10 +79,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall compile
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -93,7 +91,7 @@ shorewall_start () {
  local PRODUCT
  local STATEDIR
-  printf "Initializing \"Shorewall-based firewalls\": "
+  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x $STATEDIR/firewall ]; then
@@ -114,7 +112,7 @@ shorewall_stop () {
  local PRODUCT
  local STATEDIR
-  printf "Clearing \"Shorewall-based firewalls\": "
+  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      if setstatedir; then
 	  if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -164,10 +164,10 @@ if [ $# -eq 0 ]; then
    #
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
-	file=./shorewallrc
+	file=~/.shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
-	file=~/.shorewallrc
+	file=./.shorewallrc
     else
 	fatal_error "No configuration file specified and ~/.shorewallrc not found"
    fi
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -33,10 +33,8 @@ setstatedir() {
    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-    if [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	${SBINDIR}/shorewall compile
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
    elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
    else
 	return 0
    fi
@@ -64,7 +62,7 @@ shorewall_start () {
    local PRODUCT
    local STATEDIR
-    printf "Initializing \"Shorewall-based firewalls\": "
+    echo -n "Initializing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
@@ -92,7 +90,7 @@ shorewall_stop () {
    local PRODUCT
    local STATEDIR
-    printf "Clearing \"Shorewall-based firewalls\": "
+    echo -n "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    if [ -x ${STATEDIR}/firewall ]; then
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -126,6 +126,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -0,0 +1,18 @@
 # Shorewall Lite Makefile to restart if firewall script is newer than last restart
 VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore
 all: $(VARDIR)/$(RESTOREFILE)
 $(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
 	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi
 # EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -13,7 +13,7 @@
 . /lib/lsb/init-functions
-SRWL='/sbin/shorewall -l'
+SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
@@ -85,7 +85,7 @@ fi
 # start the firewall
 shorewall_start () {
-  printf "Starting \"Shorewall firewall\": "
+  echo -n "Starting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
@@ -93,10 +93,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  if [ "$SAFESTOP" = 1 ]; then
-      printf "Stopping \"Shorewall Lite firewall\": "
+      echo -n "Stopping \"Shorewall Lite firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      printf "Clearing all \"Shorewall Lite firewall\" rules: "
+      echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -104,14 +104,14 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
-  printf "Restarting \"Shorewall firewall\": "
+  echo -n "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
 # refresh the firewall
 shorewall_refresh () {
-  printf "Refreshing \"Shorewall firewall\": "
+  echo -n "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -25,7 +25,7 @@
 #
 . /usr/share/shorewall/shorewallrc
-prog="shorewall -l"
+prog="shorewall-lite"
 shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -68,7 +68,7 @@ stop() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall-lite/init.openwrt.sh
+++ b/Shorewall-lite/init.openwrt.sh
@@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1
 command="$action"
 start() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS
 }
 boot() {
@@ -78,17 +78,17 @@ boot() {
 }
 restart() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS
 }
 reload() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION
 }
 stop() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS
 }
 status() {
-	exec ${SBINDIR}/shorewall -l $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -114,7 +114,7 @@ require()
 #
 cd "$(dirname $0)"
-if [ -f shorewall-lite.service ]; then
+if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
@@ -331,6 +331,7 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
    make_directory ${DESTDIR}${SBINDIR} 755
    make_directory ${DESTDIR}${INITDIR} 755
 else
@@ -361,9 +362,9 @@ else
 fi
 #
-# Check for ${SHAREDIR}/$PRODUCT/version
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -371,15 +372,17 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
 [ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755
 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${VARDIR}
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
@@ -430,6 +433,15 @@ elif [ $HOST = gentoo ]; then
    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
 #
 # Install the  Makefile
 #
 install_file Makefile ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile 0600
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 [ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile
 echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 #
 # Install the default config path file
 #
@@ -486,7 +498,7 @@ done
 if [ -d manpages -a -n "$MANDIR" ]; then
    cd manpages
-    mkdir -p ${DESTDIR}${MANDIR}/man5/
+    mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
    for f in *.5; do
 	gzip -c $f > $f.gz
@@ -494,8 +506,6 @@ if [ -d manpages -a -n "$MANDIR" ]; then
 	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done
    mkdir -p ${DESTDIR}${MANDIR}/man8/
    for f in *.8; do
 	gzip -c $f > $f.gz
 	install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644
@@ -530,11 +540,6 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
 #
 #  Creatae the symbolic link for the CLI
 #
 ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
 #
 # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
 #
@@ -550,6 +555,7 @@ fi
 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,20 +45,19 @@
 #    require Shorewall to be installed.
-PRODUCT=shorewall-lite
+g_program=shorewall-lite
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
-g_basedir=${SHAREDIR}/shorewall
+g_sharedir="$SHAREDIR"/shorewall-lite
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
-
+. /usr/share/shorewall-lite/configpath
 setup_product_environment
 . ${SHAREDIR}/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -0,0 +1,42 @@
 #!/bin/sh
 #
 #     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
 PRODUCT=shorewall-lite
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_program=$PRODUCT
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 shorewall_cli $@
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -16,7 +16,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStop=/sbin/shorewall-lite $OPTIONS clear
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 [Install]
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -125,6 +125,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@@ -1,50 +0,0 @@
 #
 # Shorewall - /usr/share/shorewall/action.BLACKLIST
 #
 # This action:
 #
 #   - Adds the sender to the dynamic blacklist ipset
 #   - Optionally acts on the packet (default is DROP)
 #
 # Parameters:
 #
 # 1 - Action to take after adding the packet. Default is DROP.
 #     Pass -- if you don't want to take any action.
 # 2 - Timeout for ipset entry. Default is the timeout specified in
 #     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
 #
 ###############################################################################
 # Note -- This action is defined with the 'section' option, so the first
 #         parameter is always the section name. That means that in the
 #         following text, the first parameter passed in the rule is actually
 #         @2.
 ###############################################################################
 ?if $1 eq 'BLACKLIST'
   ?if $BLACKLIST_LOGLEVEL
       blacklog
   ?else
       $BLACKLIST_DISPOSITION
   ?endif
 ?else
   ?if ! "$SW_DBL_IPSET"
   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
   ?endif
   DEFAULTS -,DROP,-
   #
   # Add to the blacklist
   #
   ?if passed(@3)
       ADD($SW_DBL_IPSET:src:@3)
   ?elsif $SW_DBL_TIMEOUT
       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
   ?else
       ADD($SW_DBL_IPSET:src)
   ?endif
   #
   # Dispose of the packet if asked
   #
   ?if passed(@2)
      @2
   ?endif
 ?endif
--- a/Shorewall/Actions/action.DropDNSrep
+++ b/Shorewall/Actions/action.DropDNSrep
@@ -1,10 +0,0 @@
 #
 # Shorewall -- /usr/share/shorewall/action.DropDNSrep
 #
 # This macro silently drops DNS UDP replies that are in the New state
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 DEFAULTS DROP
@1	-	-	udp	-	53 { comment="Late DNS Replies" }
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -0,0 +1,13 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.blacklist
 #
 # This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 ?if $BLACKLIST_LOGLEVEL
 blacklog
 ?else
 $BLACKLIST_DISPOSITION
 ?endif
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -0,0 +1,49 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Drop
 #
 # This macro generates the same rules as the Drop default action
 # It is used in place of action.Drop when USE_ACTIONS=No.
 #
 # Example:
 #
 #	Drop	net	all
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 #
 # Don't log 'auth' DROP
 #
 DROP	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 DROP	-	-	udp	135,445
 DROP	-	-	udp	137:139
 DROP	-	-	udp	1024:	137
 DROP	-	-	tcp	135,139,445
 DROP	-	-	udp	1900
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -0,0 +1,12 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.DropDNSrep
 #
 # This macro silently drops DNS UDP replies
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 ?COMMENT Late DNS Replies
 DEFAULT DROP
 PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.Reject
+++ b/Shorewall/Macros/macro.Reject
@@ -0,0 +1,49 @@
 #
 # Shorewall -- /usr/share/shorewall/macro.Reject
 #
 # This macro generates the same rules as the Reject default action
 # It is used in place of action.Reject when USE_ACTIONS=No.
 #
 # Example:
 #
 #	Reject	loc	fw
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 #
 # Don't log 'auth' REJECT
 #
 REJECT	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 REJECT	-	-	udp	135,445
 REJECT	-	-	udp	137:139
 REJECT	-	-	udp	1024:	137
 REJECT	-	-	tcp	135,139,445
 DROP	-	-	udp	1900
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 DROP	-	-	udp	-	53
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -0,0 +1,23 @@
 #
 # Shorewall -- /etc/shorewall/Makefile
 #
 # Reload Shorewall if config files are updated.
 SWBIN	?= /sbin/shorewall -q
 CONFDIR	?= /etc/shorewall
 SWSTATE	?= $(shell $(SWBIN) show vardir)/firewall
 .PHONY: clean
 $(SWSTATE): $(CONFDIR)/*
 	@$(SWBIN) save >/dev/null; \
 	RESULT=$$($(SWBIN) reload 2>&1); \
 	if [ $$? -eq 0 ]; then \
 	    $(SWBIN) save >/dev/null; \
 	else \
 	    echo "$${RESULT}" >&2; \
 	    false; \
 	fi
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -120,6 +120,7 @@ our @EXPORT = ( qw(
 		    %chain_table
 		    %targets
 		    $raw_table
 		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -196,6 +197,7 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
 				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_action_chain
 				       new_builtin_chain
@@ -416,6 +418,7 @@ our $VERSION = 'MODULEVERSION';
 #
 our %chain_table;
 our $raw_table;
 our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -756,11 +759,13 @@ sub initialize( $$$ ) {
    ( $family, my $hard, $export ) = @_;
    %chain_table = ( raw    =>  {},
 		     rawpost => {},
 		     mangle =>  {},
 		     nat    =>  {},
 		     filter =>  {} );
    $raw_table     = $chain_table{raw};
    $rawpost_table = $chain_table{rawpost};
    $nat_table     = $chain_table{nat};
    $mangle_table  = $chain_table{mangle};
    $filter_table  = $chain_table{filter};
@@ -2721,6 +2726,24 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
 	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
 	if ( $config{CHAIN_SCRIPTS} ) {
 	    unless ( $chain eq 'accounting' ) {
 		my $file = find_file $chain;
 		if ( -f $file ) {
 		    progress_message "Running $file...";
 		    my ( $level, $tag ) = ( '', '' );
 		    unless ( my $return = eval `cat $file` ) {
 			fatal_error "Couldn't parse $file: $@" if $@;
 			fatal_error "Couldn't do $file: $!"    unless defined $return;
 			fatal_error "Couldn't run $file"       unless $return;
 		    }
 		}
 	    }
 	}
    }
    $chainref;
@@ -2759,6 +2782,14 @@ sub ensure_raw_chain($) {
    $chainref;
 }
 sub ensure_rawpost_chain($) {
    my $chain = $_[0];
    my $chainref = ensure_chain 'rawpost', $chain;
    $chainref->{referenced} = 1;
    $chainref;
 }
 #
 # Add a builtin chain
 #
@@ -2957,6 +2988,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3019,6 +3052,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}
 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -3322,7 +3357,7 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 #
 sub optimize_level0() {
-    for my $table ( qw/raw mangle nat filter/ ) {
+    for my $table ( qw/raw rawpost mangle nat filter/ ) {
 	my $tableref = $chain_table{$table};
 	next unless $tableref;
@@ -3572,7 +3607,7 @@ sub optimize_level4( $$ ) {
    if ( my $chains  = @chains ) {
 	$passes++;
-	progress_message "\n Table $table pass $passes, $chains short chains, level 4c...";
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
@@ -4241,6 +4276,7 @@ sub valid_tables() {
    my @table_list;
    push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    push @table_list, 'filter'; #MUST BE LAST!!!
@@ -7590,7 +7626,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
 #
 # Returns the destination interface specified in the rule, if any.
 #
-sub expand_rule1( $$$$$$$$$$$$;$ )
+sub expand_rule( $$$$$$$$$$$$;$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
@@ -7607,6 +7643,8 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
 	$logname,      # Name of chain to name in log messages
       ) = @_;
    return if $chainref->{complete};
    my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
       ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
    my  $chain = $actparams{chain} || $chainref->{name};
@@ -7841,78 +7879,6 @@ sub expand_rule1( $$$$$$$$$$$$;$ )
    $diface;
 }
 sub expand_rule( $$$$$$$$$$$$;$$$ )
 {
    my ($chainref ,    # Chain
 	$restriction,  # Determines what to do with interface names in the SOURCE or DEST
 	$prerule,      # Matches that go at the front of the rule
 	$rule,         # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
 	$source,       # SOURCE
 	$dest,         # DEST
 	$origdest,     # ORIGINAL DEST
 	$target,       # Target ('-j' part of the rule - may be empty)
 	$loglevel ,    # Log level (and tag)
 	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
 	$exceptionrule,# Caller's matches used in exclusion case
 	$usergenerated,# Rule came from the IP[6]TABLES target
 	$logname,      # Name of chain to name in log messages
 	$device,       # TC Device Name
 	$classid,      # TC Class Id
       ) = @_;
    return if $chainref->{complete};
    my ( @source, @dest );
    $source = '' unless defined $source;
    $dest   = '' unless defined $dest;
    if ( $source =~ /\(.+\)/ ) {
 	@source = split_list3( $source, 'SOURCE' );
    } else {
 	@source = ( $source );
    }
    if ( $dest =~ /\(.+\)/ ) {
 	@dest = split_list3( $dest, 'DEST' );
    } else {
 	@dest = ( $dest );
    }
    for $source ( @source ) {
 	if ( $source =~ /^(.+?):\((.+)\)$/ ) {
 	    $source = join( ':', $1, $2 );
 	} elsif ( $source =~ /^\((.+)\)$/ ) {
 	    $source = $1;
 	}
 	for $dest ( @dest ) {
 	    if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
 		$dest = join( ':', $1, $2 );
 	    } elsif ( $dest =~ /^\((.+)\)$/ ) {
 		$dest = $1;
 	    }
 	    if ( ( my $result = expand_rule1( $chainref ,
 					      $restriction ,
 					      $prerule ,
 					      $rule ,
 					      $source ,
 					      $dest ,
 					      $origdest ,
 					      $target ,
 					      $loglevel ,
 					      $disposition ,
 					      $exceptionrule ,
 					      $usergenerated ,
 					      $logname ,
 		   ) ) && $device ) {
 		fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
 	    }
 	}
    }
 }
 #
 # Returns true if the passed interface is associated with exactly one zone
 #
@@ -8921,7 +8887,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
 	    $chains{$table} = {} unless $chains{$table};
@@ -8950,7 +8916,7 @@ sub create_chainlist_reload($) {
 	enter_cat_mode;
-	for $table ( qw(raw nat mangle filter) ) {
+	for $table ( qw(raw rawpost nat mangle filter) ) {
 	    my $tableref=$chains{$table};
 	    next unless $tableref;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -701,7 +701,7 @@ sub compiler {
    #
    # Allow user to load Perl modules
    #
-    run_user_exit 'compile';
+    run_user_exit1 'compile';
    #
    # Create a temp file to hold the script
    #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -130,7 +130,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       split_list
 				       split_list1
 				       split_list2
 				       split_list3
 				       split_line
 				       split_line1
 				       split_line2
@@ -155,6 +154,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       propagateconfig
 				       append_file
 				       run_user_exit
 				       run_user_exit1
 				       run_user_exit2
 				       generate_aux_config
 				       format_warning
 				       no_comment
@@ -389,6 +390,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
 		 RAWPOST_TABLE   => 'Rawpost Table',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
@@ -411,8 +413,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IFACE_MATCH     => 'Iface Match',
                 TCPMSS_TARGET   => 'TCPMSS Target',
                 WAIT_OPTION     => 'iptables --wait option',
                 CPU_FANOUT      => 'NFQUEUE CPU Fanout',
                 NETMAP_TARGET   => 'NETMAP Target',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -643,7 +643,6 @@ our %eliminated = ( LOGRATE          => 1,
 		    WIDE_TC_MARKS    => 1,
 		    HIGH_ROUTE_MARKS => 1,
 		    BLACKLISTNEWONLY => 1,
 		    CHAIN_SCRIPTS    => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -748,8 +747,8 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.1-RC1",
+		    VERSION                 => "5.0.9-Beta2",
-		    CAPVERSION              => 50100 ,
+		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -816,7 +815,6 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
 	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -892,6 +890,7 @@ sub initialize( $;$$) {
 	  WARNOLDCAPVERSION => undef,
 	  DEFER_DNS_RESOLUTION => undef,
 	  USE_RT_NAMES => undef,
 	  CHAIN_SCRIPTS => undef,
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
@@ -905,7 +904,6 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
 	  BALANCE_PROVIDERS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -982,6 +980,7 @@ sub initialize( $;$$) {
 	       CONNMARK_MATCH => undef,
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
 	       RAWPOST_TABLE => undef,
 	       IPP2P_MATCH => undef,
 	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
@@ -1037,8 +1036,6 @@ sub initialize( $;$$) {
 	       IFACE_MATCH => undef,
 	       TCPMSS_TARGET => undef,
 	       WAIT_OPTION => undef,
 	       CPU_FANOUT => undef,
 	       NETMAP_TARGET => undef,
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -2712,11 +2709,11 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$$ ) {
+sub join_parts( $$$ ) {
-    my ( $first, $val, $rest, $just_expand ) = @_;
+    my ( $first, $val, $rest ) = @_;
    $val = '' unless defined $val;
-    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
+    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
 			     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
 			       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
    join( '', $first, $val, $rest );
@@ -2771,7 +2768,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}
-	$expression = join_parts( $first, $val, $rest, $just_expand );
+	$expression = join_parts( $first, $val, $rest );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
    }
@@ -2782,7 +2779,7 @@ sub evaluate_expression( $$$$ ) {
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
-	    $expression = join_parts( $first, $val, $rest , $just_expand );
+	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
    }
@@ -2854,7 +2851,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -3042,12 +3039,6 @@ sub process_compiler_directive( $$$$ ) {
 			      $linenumber ) unless $omitting;
 	  } ,
 	  REQUIRE => sub() {
 	      fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
 	      fatal_error "Unknown capability ($expression}" unless $capabilities{$expression};
 	      require_capability( $expression, "The $actparams{action} action", 's' );
 	  } ,
 	);
    if ( my $function = $directives{$keyword} ) {
@@ -3676,6 +3667,7 @@ sub expand_variables( \$ ) {
 	    $usedcaller = USEDCALLER if $var eq 'caller';
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
 	    $val = $config{$var};
 	}
 	$val = '' unless defined $val;
@@ -3761,7 +3753,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -4327,22 +4319,6 @@ sub Masquerade_Tgt() {
    $result;
 }
 sub Netmap_Target() {
    have_capability( 'NAT_ENABLED' ) || return '';
    my $result = '';
    my $address = $family == F_IPV4 ? '1.2.3.0/24' : '2001::/64';
    if ( qt1( "$iptables $iptablesw -t nat -N $sillyname" ) ) {
 	$result = qt1( "$iptables $iptablesw -t nat -A $sillyname -j NETMAP --to $address" );
 	qt1( "$iptables $iptablesw -t nat -F $sillyname" );
 	qt1( "$iptables $iptablesw -t nat -X $sillyname" );
    }
    $result;
 }
 sub Udpliteredirect() {
    have_capability( 'NAT_ENABLED' ) || return '';
@@ -4541,6 +4517,10 @@ sub Raw_Table() {
    qt1( "$iptables $iptablesw -t raw -L -n" );
 }
 sub Rawpost_Table() {
    qt1( "$iptables $iptablesw -t rawpost -L -n" );
 }
 sub Old_IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
@@ -4868,10 +4848,6 @@ sub Tcpmss_Target() {
    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
 }
 sub Cpu_Fanout() {
    have_capability( 'NFQUEUE_TARGET' ) && qt1( "$iptables -A $sillyname -j NFQUEUE --queue-balance 0:3 --queue-cpu-fanout" );
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
@@ -4888,7 +4864,6 @@ our %detect_capability =
      CONNMARK => \&Connmark,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
      CPU_FANOUT => \&Cpu_Fanout,
      CT_TARGET => \&Ct_Target,
      DSCP_MATCH => \&Dscp_Match,
      DSCP_TARGET => \&Dscp_Target,
@@ -4932,7 +4907,6 @@ our %detect_capability =
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
      NETMAP_TARGET => \&Netmap_Target,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
      NFACCT_MATCH => \&NFAcct_Match,
      NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -4948,6 +4922,7 @@ our %detect_capability =
      POLICY_MATCH => \&Policy_Match,
      PPTP_HELPER => \&PPTP_Helper,
      RAW_TABLE => \&Raw_Table,
      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
@@ -5075,6 +5050,7 @@ sub determine_capabilities() {
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
@@ -5115,8 +5091,6 @@ sub determine_capabilities() {
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
 	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
 	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5287,24 +5261,9 @@ sub update_config_file( $ ) {
    }
    update_default( 'USE_DEFAULT_RT', 'No' );
    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
 	update_default( 'BALANCE_PROVIDERS', 'No' );
    } else {
 	update_default( 'BALANCE_PROVIDERS', 'Yes' );
    }
    update_default( 'EXPORTMODULES',  'No' );
    update_default( 'RESTART',        'reload' );
    update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
    update_default( 'LOGFORMAT',         'Shorewall:%s:%s:' );
    update_default( 'LOGLIMIT',          '' );
    if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
    } else {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
    }	
    my $fn;
@@ -6253,6 +6212,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
    default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';
    if ( supplied ( $val = $config{TRACK_RULES} ) ) {
 	if ( lc( $val ) eq 'file' ) {
@@ -6307,7 +6267,6 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'TRACK_PROVIDERS'            , '';
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6324,8 +6283,6 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }
    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@@ -6366,9 +6323,6 @@ sub get_configuration( $$$$ ) {
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 	    $variables{SW_DBL_IPSET}   = $set;
 	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6376,8 +6330,6 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }
    add_variables( %variables );
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
@@ -6643,16 +6595,13 @@ sub get_configuration( $$$$ ) {
    }
    default 'RESTOREFILE'           , 'restore';
-
+    default 'DROP_DEFAULT'          , 'Drop';
-    default 'DROP_DEFAULT'          , 'none';
+    default 'REJECT_DEFAULT'        , 'Reject';
    default 'REJECT_DEFAULT'        , 'none';
    default 'BLACKLIST_DEFAULT'     , 'none';
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';
-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }
@@ -6780,7 +6729,32 @@ sub append_file( $;$$ ) {
    $result;
 }
 #
 # Run a Perl extension script
 #
 sub run_user_exit( $ ) {
    my $chainref = $_[0];
    my $file = find_file $chainref->{name};
    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
 	progress_message2 "Running $file...";
 	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
 	unless (my $return = eval $command ) {
 	    fatal_error "Couldn't parse $file: $@" if $@;
 	    unless ( defined $return ) {
 		fatal_error "Couldn't do $file: $!" if $!;
 		fatal_error "Couldn't do $file";
 	    }
 	    fatal_error "$file returned a false value";
 	}
    }
 }
 sub run_user_exit1( $ ) {
    my $file = find_file $_[0];
    if ( -f $file ) {
@@ -6812,6 +6786,37 @@ sub run_user_exit( $ ) {
    }
 }
 sub run_user_exit2( $$ ) {
    my ($file, $chainref) = ( find_file $_[0], $_[1] );
    if ( $config{CHAIN_SCRIPTS} && -f $file ) {
 	progress_message2 "Running $file...";
 	#
 	# File may be empty -- in which case eval would fail
 	#
 	push_open $file;
 	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
 	    pop_open;
 	    unless (my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
 		unless ( defined $return ) {
 		    fatal_error "Couldn't do $file: $!" if $!;
 		    fatal_error "Couldn't do $file";
 		}
 		fatal_error "$file returned a false value";
 	    }
 	}
 	pop_open;
    }
 }
 #
 # Generate the aux config file for Shorewall Lite
 #
@@ -6838,7 +6843,7 @@ sub generate_aux_config() {
    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
 	conditionally_add_option $option;
    }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1028,7 +1028,7 @@ sub add_common_rules ( $ ) {
 	    );
    }
-    run_user_exit 'initdone';
+    run_user_exit1 'initdone';
    if ( $upgrade ) {
 	convert_blacklist;
@@ -1454,6 +1454,8 @@ sub setup_mac_lists( $ ) {
 		}
 	    }
 	    run_user_exit2( 'maclog', $chainref );
 	    log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
@@ -1679,6 +1681,12 @@ sub add_interface_jumps {
 	addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
 	if ( have_capability 'RAWPOST_TABLE' ) {
 	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
 	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
 	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
 	}
 	add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
    }
    #
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -790,6 +790,7 @@ sub setup_netmap() {
 		my @rule = do_iproto( $proto, $dport, $sport );
 		unless ( $type =~ /:/ ) {
 		    my @rulein;
 		    my @ruleout;
@@ -804,7 +805,7 @@ sub setup_netmap() {
 			$interface = $interfaceref->{name};
 		    }
-		require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
 		    if ( $type eq 'DNAT' ) {
 			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
@@ -821,9 +822,57 @@ sub setup_netmap() {
 					   @ruleout ,
 					   imatch_dest_net( $net3 ) );
 		    } else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
 			fatal_error "Invalid type ($type)";
 		    }
 		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
 		    my ( $target , $chain ) = ( $1, $2 );
 		    my $table = 'raw';
 		    my @match;
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 		    $net2 = validate_net $net2, 0;
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
 			$interface = $interfaceref->{name};
 		    }
 		    if ( $chain eq 'P' ) {
 			$chain = prerouting_chain $interface;
 			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
 		    } elsif ( $chain eq 'O' ) {
 			$chain = output_chain $interface;
 		    } else {
 			$chain = postrouting_chain $interface;
 			$table = 'rawpost';
 		    }
 		    my $chainref = ensure_chain( $table, $chain );
 		    if ( $target eq 'DNAT' ) {
 			dest_iexclusion( $chainref ,
 					 j => 'RAWDNAT' ,
 					 "--to-dest $net2" ,
 					 $net1 ,
 					 imatch_source_net( $net3 ) ,
 					 @rule ,
 					 @match
 				       );
 		    } else {
 			source_iexclusion( $chainref ,
 					   j  => 'RAWSNAT' ,
 					   "--to-source $net2" ,
 					   $net1 ,
 					   imatch_dest_net( $net3 ) ,
 					   @rule ,
 					   @match );
 		    }
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
 		    fatal_error "Invalid TYPE ($type)";
 		}
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -523,7 +523,7 @@ sub process_a_provider( $ ) {
 	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
    } else {
 	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
    }
    unless ( $options eq '-' ) {
@@ -603,7 +603,6 @@ sub process_a_provider( $ ) {
    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
    unless ( $pseudo ) {
    if ( $local ) {
 	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
 	fatal_error "'track' not valid with 'local'"           if $track;
@@ -617,23 +616,6 @@ sub process_a_provider( $ ) {
 	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
 	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
 	$mark = $globals{TPROXY_MARK};
 	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
 	    if ( $config{USE_DEFAULT_RT} ) {
 		if ( $rf ) {
 		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
 		} else {
 		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
 		}
 	    } else {
 		unless ( $balance ) {
 		    if ( $rf ) {
 			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
 		    } else {
 			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
 		    }
 		}
 	    }
 	}
    }
    my $val = 0;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -138,7 +138,7 @@ our %section_rmap = ( ALL_SECTION ,        'ALL',
 our @policy_chains;
-our %policy_actions;
+our %default_actions;
 our %macros;
@@ -233,7 +233,6 @@ use constant { INLINE_OPT           => 1 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
 	       LOGJUMP_OPT          => 1024 ,
 	       SECTION_OPT          => 2048 ,
 };
 our %options = ( inline      => INLINE_OPT ,
@@ -247,7 +246,6 @@ our %options = ( inline      => INLINE_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
 		 logjump     => LOGJUMP_OPT ,
 		 section     => SECTION_OPT ,
    );
 our %reject_options;
@@ -311,14 +309,11 @@ sub initialize( $ ) {
    # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
    # in the %config hash when shorewall[6].conf was processed.
    #
-    %policy_actions  = ( DROP	    => [] ,
+    %default_actions  = ( DROP     => 'none' ,
-			 REJECT    => [] ,
+		 	  REJECT   => 'none' ,
-			 BLACKLIST => [] ,
+			  ACCEPT   => 'none' ,
-			 ACCEPT    => [] ,
+			  QUEUE    => 'none' ,
-			 QUEUE	   => [] ,
+			  NFQUEUE  => 'none' ,
 			 NFQUEUE   => [] ,
 			 CONTINUE  => [] ,
 			 NONE      => [] ,
 			);
    #
    # These are set to 1 as sections are encountered.
@@ -432,7 +427,6 @@ sub convert_to_policy_chain($$$$$$)
    $chainref->{audit}       = $audit;
    $chainref->{policychain} = $chainref->{name};
    $chainref->{policypair}  = [ $source, $dest ];
    $chainref->{pactions}    = [];
 }
 #
@@ -482,7 +476,7 @@ sub set_policy_chain($$$$$$)
 		$chainref->{synchain}    = $polchainref->{synchain};
 	    }
-	    $chainref->{pactions}    = $polchainref->{pactions} || [];
+	    $chainref->{default}     = $polchainref->{default} if defined $polchainref->{default};
 	    $chainref->{is_policy}   = 1;
 	    push @policy_chains, $chainref;
 	} else {
@@ -531,12 +525,12 @@ sub normalize_action( $$$ );
 sub normalize_action_name( $ );
 sub normalize_single_action( $ );
-sub process_policy_action( $$$$ ) {
+sub process_default_action( $$$$ ) {
-    my ( $originalpolicy, $policy, $paction, $level ) = @_;
+    my ( $originalpolicy, $policy, $default, $level ) = @_;
-    if ( supplied $paction ) {
+    if ( supplied $default ) {
-	my $paction_option = ( $policy =~ /_DEFAULT$/ );
+	my $default_option = ( $policy =~ /_DEFAULT$/ );
-	my ( $act, $param ) = get_target_param( $paction );
+	my ( $def, $param ) = get_target_param( $default );
 	if ( supplied $level ) {
 	    validate_level( $level );
@@ -544,49 +538,35 @@ sub process_policy_action( $$$$ ) {
 	    $level = 'none';
 	}
-	if ( ( $targets{$act} || 0 ) & ACTION ) {
+	if ( "\L$default" eq 'none' ) {
-	    $paction = supplied $param  ? normalize_action( $act, $level, $param  ) :
+	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
-		       $level eq 'none' ? normalize_action_name $act :
+		if ( $default_option ) {
-		       normalize_action( $act, $level, '' );
+		    fatal_error "Invalid setting ($originalpolicy) for $policy";
 	} elsif ( ( $targets{$act} || 0 ) == INLINE ) {
 	    $paction = $act;
 	    $paction = "$act($param)" if supplied $param;
 	    $paction = join( ':', $paction, $level ) if $level ne 'none';
 	} elsif ( $paction_option ) {
 	    fatal_error "Unknown Action ($paction) in $policy setting";
 		} else {
-	    fatal_error "Unknown Policy Action ($paction)";
+		    fatal_error "Invalid policy ($originalpolicy)";
 		}
 	    }
 	    $default = 'none';
 	} elsif ( ( $targets{$def} || 0 ) == ACTION ) {
 	    $default = supplied $param  ? normalize_action( $def, $level, $param  ) :
 		       $level eq 'none' ? normalize_action_name $def :
 		       normalize_action( $def, $level, '' );
 	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
 	    $default = $def;
 	    $default = "$def($param)" if supplied $param;
 	    $default = join( ':', $default, $level ) if $level ne 'none';
 	} elsif ( $default_option ) {
 	    fatal_error "Unknown Action ($default) in $policy setting";
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
    } else {
-	$paction = $policy_actions{$policy};
+	$default = $default_actions{$policy} || 'none';
    }
-    $paction;
+    $default;
 }
 sub process_policy_actions( $$$ ) {
    my ( $originalpolicy, $policy, $pactions ) = @_;
    if ( supplied $pactions ) {
 	my @pactions;
 	if ( lc $pactions ne 'none' ) {
 	    @pactions = @{$policy_actions{$policy}} if $pactions =~ s/^\+//;
 	    for my $paction ( split_list3( $pactions, 'Policy Action' ) ) {
 		my ( $action, $level, $remainder ) = split( /:/, $paction, 3 );
 		fatal_error "Invalid policy action ($paction:$level:$remainder)" if defined $remainder;
 		push @pactions, process_policy_action( $originalpolicy, $policy, $action, $level );
 	    }
 	}
 	\@pactions;
    } else {
 	$policy_actions{$policy};
    }
 }
 #
@@ -594,7 +574,7 @@ sub process_policy_actions( $$$ ) {
 #
 sub handle_nfqueue( $$ ) {
    my ($params, $allow_bypass ) = @_;
-    my ( $action, $bypass, $fanout );
+    my ( $action, $bypass );
    my ( $queue1, $queue2, $queuenum1, $queuenum2 );
    require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules and Policies', '' );
@@ -620,7 +600,6 @@ sub handle_nfqueue( $$ ) {
 	    fatal_error "Invalid NFQUEUE queue number ($queue1)" unless defined( $queuenum1) && $queuenum1 >= 0 && $queuenum1 <= 65535;
 	    if ( supplied $queue2 ) {
 		$fanout    = ' --queue-cpu-fanout' if $queue2 =~ s/c$//;
 		$queuenum2 = numeric_value( $queue2 );
 		fatal_error "Invalid NFQUEUE queue number ($queue2)" unless defined( $queuenum2) && $queuenum2 >= 0 && $queuenum2 <= 65535 && $queuenum1 < $queuenum2;
@@ -642,8 +621,7 @@ sub handle_nfqueue( $$ ) {
    }
    if ( supplied $queue2 ) {
-	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}";
 	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
    } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
    }
@@ -674,10 +652,12 @@ sub process_a_policy1($$$$$$$) {
    require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $default, $level, undef, $remainder ) = split( /:/, $originalpolicy, ACTION_TUPLE_ELEMENTS );
    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
    fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder;
    ( $policy , my $queue ) = get_target_param $policy;
    fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
@@ -686,7 +666,7 @@ sub process_a_policy1($$$$$$$) {
 	fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
    }
-    my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
+    $default = process_default_action( $originalpolicy, $policy, $default, $level );
    if ( defined $queue ) {
 	$policy = handle_nfqueue( $queue,
@@ -697,8 +677,6 @@ sub process_a_policy1($$$$$$$) {
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
    } elsif ( $policy eq 'BLACKLIST' ) {
 	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
    }
    unless ( $clientwild || $serverwild ) {
@@ -743,29 +721,31 @@ sub process_a_policy1($$$$$$$) {
 	$chainref->{synchain}  = $chain
    }
-    $chainref->{pactions} = $pactionref;
+    assert( $default );
    my $chainref1 = $usedactions{$default};
    $chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
    $chainref->{origin} = shortlineinfo('');
    if ( $clientwild ) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $client, $server, $chainref, $policy, $intrazone;
+		    set_policy_chain rules_chain( ${zone}, ${zone1} ), $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain rules_chain( ${zone}, ${server} ), $client, $server, $chainref, $policy, $intrazone;
+		set_policy_chain rules_chain( ${zone}, ${server} ), $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $server, $chainref, $policy, $intrazone;
+	    set_policy_chain rules_chain( ${client}, ${zone} ), $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
    } else {
 	print_policy $client, $server, $originalpolicy, $chain;
    }
@@ -836,7 +816,6 @@ sub process_policies()
 			  REJECT => undef,
 			  DROP   => undef,
 			  CONTINUE => undef,
 			  BLACKLIST => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
@@ -844,7 +823,6 @@ sub process_policies()
    our %map = ( DROP_DEFAULT    => 'DROP' ,
 		 REJECT_DEFAULT  => 'REJECT' ,
 		 BLACKLIST_DEFAULT => 'BLACKLIST' ,
 		 ACCEPT_DEFAULT  => 'ACCEPT' ,
 		 QUEUE_DEFAULT   => 'QUEUE' ,
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
@@ -853,16 +831,16 @@ sub process_policies()
    my $firewall = firewall_zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
-    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
-	my $actions = $config{$option};
+	my $action = $config{$option};
-	if ( $actions eq 'none' ) {
+	unless ( $action eq 'none' ) {
-	    $actions = [];
+	    my ( $default, $level, $remainder ) = split( /:/, $action, 3 );
-	} else {
+	    fatal_error "Invalid setting ( $action ) for $option" if supplied $remainder;
-	    $actions = process_policy_actions( $actions, $option, $actions );
+	    $action = process_default_action( $action, $option, $default, $level );
 	}
-	$policy_actions{$map{$option}} = $actions;
+	$default_actions{$map{$option}} = $action;
    }
    for $zone ( all_zones ) {
@@ -922,23 +900,19 @@ sub process_policies()
 sub process_inline ($$$$$$$$$$$$$$$$$$$$$$);
 sub add_policy_rules( $$$$$ ) {
-    my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
+    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
    unless ( $target eq 'NONE' ) {
 	my @pactions;
 	@pactions = @$pactions;
 	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	for my $paction ( @pactions ) {
+	if ( $default && $default ne 'none' ) {
-	    my ( $action ) = split ':', $paction;
+	    my ( $action ) = split ':', $default;
-	    if ( ( $targets{$action} || 0 ) & ACTION ) {
+	    if ( ( $targets{$action} || 0 ) == ACTION ) {
 		#
 		# Default action is a regular action -- jump to the action chain
 		#
-		add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
+		add_ijump $chainref, j => use_policy_action( $default, $chainref->{name} );
 	    } else {
 		#
 		# Default action is an inline 
@@ -950,7 +924,7 @@ sub add_policy_rules( $$$$$ ) {
 				'',           #Matches
 				'',           #Matches1
 				$loglevel,    #Log Level and Tag
-				$paction,     #Target
+				$default,     #Target
 				$param || '', #Param
 				'-',          #Source
 				'-',          #Dest
@@ -974,20 +948,7 @@ sub add_policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 	if ( $target eq 'BLACKLIST' ) {
 	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
 	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
 		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
 	    } else {
 		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
 	    }
 	    $target = 'DROP';
 	} else {
 	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
 	}
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
    }
 }
@@ -1003,26 +964,27 @@ sub complete_policy_chain( $$$ ) { #Chainref, Source Zone, Destination Zone
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
-    my $defaults   = $policyref->{pactions};
+    my $default    = $policyref->{default};
    my $policy     = $policyref->{policy};
    my $loglevel   = $policyref->{loglevel};
    assert( $policyref );
    if ( $chainref eq $policyref ) {
-	add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
+	add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
-		add_policy_rules $chainref , $policy , $loglevel , $defaults, $config{MULTICAST};
+		add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
 		add_policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
-	    add_policy_rules $chainref , $policy , $loglevel , $defaults, $config{MULTICAST};
+	    add_policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_ijump $chainref , g => $policyref;
@@ -1045,7 +1007,7 @@ sub complete_policy_chains() {
 	unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
-	    my $defaults    = $chainref->{pactions};
+	    my $default     = $chainref->{default};
 	    my $name        = $chainref->{name};
 	    my $synparms    = $chainref->{synparms};
@@ -1057,7 +1019,7 @@ sub complete_policy_chains() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if ( @$defaults         ||
+		    ensure_rules_chain $name if ( $default ne 'none' ||
 						  $loglevel          ||
 						  $synparms          ||
 						  $config{MULTICAST} ||
@@ -1068,7 +1030,8 @@ sub complete_policy_chains() {
 	    }
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
-		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
+		run_user_exit $chainref;
 		add_policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
    }
@@ -1078,6 +1041,7 @@ sub complete_policy_chains() {
 	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
 		complete_policy_chain $chainref, $zone, $zone1;
 	    }
 	}
@@ -1096,19 +1060,23 @@ sub complete_policy_chains() {
 sub complete_standard_chain ( $$$$ ) {
    my ( $stdchainref, $zone, $zone2, $default ) = @_;
    run_user_exit $stdchainref;
    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
-    my ( $policy, $loglevel ) = ( $default , 6 );
+    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
    my $policy_actions = $policy_actions{$policy};
    my $policychainref;
    $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
    if ( $policychainref ) {
-	( $policy, $loglevel, $policy_actions ) = @{$policychainref}{'policy', 'loglevel', 'pactions' };
+	( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' };
 	$stdchainref->{origin} = $policychainref->{origin};
    } elsif ( $defaultaction !~ /:/ ) {
 	$defaultaction = normalize_single_action( $defaultaction );
    }
-    add_policy_rules $stdchainref , $policy , $loglevel, $policy_actions, 0;
+
    add_policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 #
@@ -1351,18 +1319,8 @@ sub normalize_action( $$$ ) {
    # Note: SNAT actions store the current interface's name in the tag
    #
    $tag   = ''     unless defined $tag;
-
+    $param = ''     unless defined $param;
    if ( defined( $param ) ) {
 	#
 	# Normalize the parameters by removing trailing omitted
 	# parameters
 	#
 	1 while $param =~ s/,-$//;
    $param = ''     if $param eq '-';
    } else {
 	$param = '';
    }
    join( ':', $action, $level, $tag, $caller, $param );
 }
@@ -1464,6 +1422,27 @@ sub createlogactionchain( $$$$$$ ) {
    $chainref->{action} = $normalized;
    if ( $config{CHAIN_SCRIPTS} ) {
 	unless ( $targets{$action} & BUILTIN ) {
 	    set_optflags( $chainref, DONT_OPTIMIZE );
 	    my $file = find_file $chain;
 	    if ( -f $file ) {
 		progress_message "Running $file...";
 		my @params = split /,/, $param;
 		unless ( my $return = eval `cat $file` ) {
 		    fatal_error "Couldn't parse $file: $@" if $@;
 		    fatal_error "Couldn't do $file: $!"    unless defined $return;
 		    fatal_error "Couldn't run $file";
 		}
 	    }
 	}
    }
    $chainref;
 }
@@ -1479,6 +1458,27 @@ sub createsimpleactionchain( $$ ) {
    $chainref->{action} = $normalized;
    if ( $config{CHAIN_SCRIPTS} ) {
 	unless ( $targets{$action} & BUILTIN ) {
 	    set_optflags( $chainref, DONT_OPTIMIZE );
 	    my $file = find_file $action;
 	    if ( -f $file ) {
 		progress_message "Running $file...";
 		my ( $level, $tag ) = ( '', '' );
 		unless ( my $return = eval `cat $file` ) {
 		    fatal_error "Couldn't parse $file: $@" if $@;
 		    fatal_error "Couldn't do $file: $!"    unless defined $return;
 		    fatal_error "Couldn't run $file";
 		}
 	    }
 	}
    }
    $chainref;
 }
@@ -1876,7 +1876,7 @@ my %builtinops = ( 'dropBcast'      => \&dropBcast,
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ );
 sub process_snat1( $$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );
@@ -1983,10 +1983,10 @@ sub process_action(\$\$$) {
 		}
 	    }
 	} elsif ( $type & MANGLE_TABLE ) {
-	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
+	    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
 	    if ( $family == F_IPV4 ) {
-		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
+		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 		    split_line2( 'mangle file',
 				 { mark => 0,
 				   action => 0,
@@ -2005,14 +2005,13 @@ sub process_action(\$\$$) {
 				   scp => 13,
 				   state => 14,
 				   time => 15,
 				   switch => 16,
 				 },
 				 {},
-				 17,
+				 16,
 				 1 );
 		$headers = '-';
 	    } else {
-		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
+		( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 		    split_line2( 'action file',
 				 { mark => 0,
 				   action => 0,
@@ -2032,10 +2031,9 @@ sub process_action(\$\$$) {
 				   dscp => 14,
 				   state => 15,
 				   time => 16,
 				   switch => 17,
 				 },
 				 {},
-				 18,
+				 17,
 				 1 );
 	    }
@@ -2064,8 +2062,7 @@ sub process_action(\$\$$) {
 				      $probability ,
 				      $dscp ,
 				      $state,
-				      $time,
+				      $time );
 				      $conditional );
 		set_inline_matches( $matches );
 	    }
 	} else {
@@ -2119,12 +2116,6 @@ sub process_action(\$\$$) {
    pop_open;
    unless ( @{$chainref->{rules}} ) {
 	my $file = find_file( $action );
 	fatal_error "File action.${action} is empty and file $action exists - the two must be combined as described in the Migration Considerations section of the Shorewall release notes" if -f $file;
    }
    #
    # Pop the action parameters
    #
@@ -2751,7 +2742,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    #
    # Determine the validity of the action
    #
-    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
+    $actiontype = ( $targets{$basictarget} || find_macro ( $basictarget ) );
    if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -2760,9 +2751,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    fatal_error "Unknown ACTION ($action)" unless $actiontype;
    $usergenerated = $actiontype & IPTABLES;
    #
    # For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them
    #
    if ( $actiontype == MACRO ) {
 	#
@@ -3159,10 +3147,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    my $actionchain; # Name of the action chain
    if ( $actiontype & ACTION ) {
 	#
 	# Handle 'section' option
 	#
 	$param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
 	#
 	# Create the action:level:tag:param tuple.
 	#
@@ -3796,8 +3780,22 @@ sub build_zone_list( $$$\$\$ ) {
 #
 # Process a Record in the rules file
 #
-sub process_raw_rule1( $$$$$$$$$$$$$$$ ) {
+sub process_raw_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper ) = @_;
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
 	= split_line2( 'rules file',
 		       \%rulecolumns,
 		       $rule_commands,
 		       undef, #Columns
 		       1 );   #Allow inline matches
    fatal_error 'ACTION must be specified' if $target eq '-';
    #
    # Section Names are optional so once we get to an actual rule, we need to be sure that
    # we close off any missing sections.
    #
    next_section if $section != $next_section;
    if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) {
 	progress_message "Rule \"$currentline\" ignored.";
 	return 1;
@@ -3863,48 +3861,6 @@ sub process_raw_rule1( $$$$$$$$$$$$$$$ ) {
    progress_message qq(   Rule "$thisline" $done);
 }
 sub process_raw_rule ( ) {
    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
 	= split_line2( 'rules file',
 		       \%rulecolumns,
 		       $rule_commands,
 		       undef, #Columns
 		       1 );   #Allow inline matches
    fatal_error 'ACTION must be specified' if $target eq '-';
    #
    # Section Names are optional so once we get to an actual rule, we need to be sure that
    # we close off any missing sections.
    #
    next_section if $section != $next_section;
    my ( @source, @dest );
    if ( $source =~ /:\(.+\)/ ) {
 	@source = split_list3( $source, 'SOURCE' );
    } else {
 	@source = ( $source );
    }
    if ( $dest =~ /:\(.+\)/ ) {
 	@dest = split_list3( $dest, 'DEST' );
    } else {
 	@dest = ( $dest );
    }
    for $source ( @source ) {
 	$source = join(':', $1, $2 ) if $source =~ /^(.+?):\((.+)\)$/;
 	for $dest ( @dest ) {
 	    $dest = join( ':', $1, $2 ) if $dest =~  /^(.+?):\((.+)\)$/;
 	    process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
 	}
    }
 }
 sub intrazone_allowed( $$ ) {
    my ( $zone, $zoneref ) = @_;
@@ -4009,8 +3965,8 @@ sub process_rules() {
    $section = $next_section = DEFAULTACTION_SECTION;
 }
-sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional ) = @_;
+    my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
    my $oldparms   = push_action_params( $inline,
 					 $chainref,
@@ -4029,9 +3985,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
    my $save_comment = push_comment;
    while ( read_a_line( NORMAL_READ ) ) {
-	my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime, $mconditional );
+	my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime );
 	if ( $family == F_IPV4 ) {
-	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
+	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime ) =
 		split_line2( 'mangle file',
 			     { mark => 0,
 			       action => 0,
@@ -4050,14 +4006,13 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 			       scp => 13,
 			       state => 14,
 			       time => 15,
 			       switch => 16,
 			     },
 			     {},
-			     17,
+			     16,
 			     1 );
 	    $headers = $mheaders = '-';
 	} else {
-	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
+	    ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime ) =
 		split_line2( 'mangle file',
 			     { mark => 0,
 			       action => 0,
@@ -4077,10 +4032,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 			       dscp => 14,
 			       state => 15,
 			       time => 16,
 			       switch => 17,
 			     },
 			     {},
-			     18,
+			     17,
 			     1 );
 	}
@@ -4113,9 +4067,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 				  merge_macro_column( $mprobability ,   $probability ),
 				  merge_macro_column( $mdscp ,          $dscp ),
 				  merge_macro_column( $mstate,          $state ),
-				  merge_macro_column( $mtime,           $time ),
+				  merge_macro_column( $mtime,           $time ) );
 				  merge_macro_column( $mconditional,    $conditional ),
 		);
 	}
 	progress_message "   Rule \"$currentline\" $done";
@@ -4142,8 +4094,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
 # appended to that chain. The chain with be the action's chain unless the action
 # is inlined, in which case it will be the chain which invoked the action.
 #
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
-    my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $condition) = @_;
+    my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time) = @_;
    my %designators = (
 	P => PREROUTING,
@@ -4253,7 +4205,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 			     do_headers( $headers ) .
 			     do_probability( $probability ) .
 			     do_dscp( $dscp ) .
 			     do_condition( $condition, $chainref->{name} ) .
 			     state_match( $state ) .
 			     $raw_matches ,
 			     $source ,
@@ -4849,8 +4800,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 				   $probability ,
 				   $dscp ,
 				   $state,
-				   $time,
+				   $time );
 				   $condition );
 	    $done = 1;
 	}
    };
@@ -4987,7 +4937,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	$restriction |= $chainref->{restriction};
-	expand_rule( $chainref ,
+	if ( ( my $result = expand_rule( $chainref ,
 					 $restriction,
 					 $prerule,
 					 do_proto( $proto, $ports, $sports) . $matches .
@@ -5002,7 +4952,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
 		     do_condition( $condition, $chainref->{name} ) .
 					 ( $ttl ? "-t $ttl " : '' ) .
 					 $raw_matches ,
 					 $source ,
@@ -5012,11 +4961,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 					 '' ,
 					 $target ,
 					 $exceptionrule ,
-		     $usergenerated ,
+					 $usergenerated ) )
-		     '' , # Log Name
+	     && $device ) {
-		     $device ,
+	    #
-		     $params
+	    # expand_rule() returns destination device if any
-	    );
+	    #
 	    fatal_error "Class Id $params is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
 	}
    }
    progress_message "  Mangle Rule \"$currentline\" $done";
@@ -5244,9 +5195,9 @@ sub process_tc_rule( ) {
 sub process_mangle_rule( $ ) {
    my ( $chainref ) = @_;
-    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
 	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
@@ -5265,14 +5216,13 @@ sub process_mangle_rule( $ ) {
 			   scp => 13,
 			   state => 14,
 			   time => 15,
 			   switch => 16,
 			 },
 			 {},
-			 17,
+			 16,
 	                 1 );
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 	    split_line2( 'mangle file',
 			 { mark => 0,
 			   action => 0,
@@ -5292,15 +5242,14 @@ sub process_mangle_rule( $ ) {
 			   dscp => 14,
 			   state => 15,
 			   time => 16,
 			   switch => 17,
 			 },
 			 {},
-			 18,
+			 17,
 	                 1 );
    }
    for my $proto (split_list( $protos, 'Protocol' ) ) {
-	process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
+	process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
    }
 }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -42,7 +42,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( initialize );
+our @EXPORT_OK = qw( process_tc_rule initialize );
 our $VERSION = 'MODULEVERSION';
 our %flow_keys = ( 'src'            => 1,
@@ -2277,10 +2277,9 @@ sub open_mangle_for_output( $ ) {
 	#
 	transfer_permissions( $fn, $fn1 );
 	if ( $family == F_IPV4 ) {
 	print $mangle <<'EOF';
 #
-# Shorewall -- /etc/shorewall/mangle
+# Shorewall version 4 - Mangle File
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
@@ -2290,31 +2289,13 @@ sub open_mangle_for_output( $ ) {
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##############################################################################################################################################################
+####################################################################################################################################################
-#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
 #                                                       PORT(S) PORT(S)
 EOF
 	} else {
 	    print $mangle <<'EOF';
 #
 # Shorewall6 -- /etc/shorewall6/mangle
 #
 # For information about entries in this file, type "man shorewall6-mangle"
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
 # http://shorewall.net/MultiISP.html
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ######################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP	SWITCH
 EOF
    }
    return ( $mangle, $fn1 );
    }
 }
 #
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1275,7 +1275,6 @@ sub process_interface( $$ ) {
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
 		$options{logmartians} = 1 if $option eq 'routefilter' && $numval && ! $config{LOG_MARTIANS};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -38,11 +38,12 @@ fi
 #
 . /usr/share/shorewall/shorewallrc
-g_basedir=${SHAREDIR}/shorewall
+g_program=$PRODUCT
 g_sharedir="$SHAREDIR/shorewall"
 g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1
-. $g_basedir/lib.cli
+. $g_sharedir/lib.cli
 setup_product_environment
 CONFIG_PATH="$2"
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -349,7 +349,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 	case "$default_route" in
 	    *metric*)
 	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes or =Exact. Otherwise, we only replace the one with metric 0
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
@@ -526,6 +526,13 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
    done
    qt1 $g_tool -t rawpost -F
    qt1 $g_tool -t rawpost    -X
    for chain in POSTROUTING; do
 	qt1 $g_tool -t rawpost -P $chain ACCEPT
    done
    qt1 $g_tool -t nat    -F
    qt1 $g_tool -t nat    -X
@@ -575,6 +582,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
 	    '*'rawpost)
 		table=rawpost
 		;;
 	    '*'mangle)
 		table=mangle
 		;;
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -130,8 +130,6 @@ g_docker=
 g_dockernetwork=
 g_forcereload=
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 initialize
 if [ -n "$STARTUP_LOG" ]; then
--- a/Shorewall/Samples/Universal/params
+++ b/Shorewall/Samples/Universal/params
@@ -1,15 +0,0 @@
 #
 # Shorewall - Sample Params File for universal configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall/Samples/Universal/policy
+++ b/Shorewall/Samples/Universal/policy
@@ -10,4 +10,4 @@
 #SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
 $FW	net	ACCEPT
-net	all	DROP		$LOG
+net	all	DROP
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -1,8 +1,8 @@
 ###############################################################################
 #
-#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
 #
-#  For $LOGrmation about the settings in this file, type "man shorewall.conf"
+#  For information about the settings in this file, type "man shorewall.conf"
 #
 #  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
@@ -47,25 +47,25 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -75,7 +75,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -108,11 +108,10 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+DROP_DEFAULT="Drop"
 DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Reject"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -141,12 +140,12 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -294,3 +293,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/one-interface/params
+++ b/Shorewall/Samples/one-interface/params
@@ -1,15 +0,0 @@
 #
 # Shorewall - Sample Params File for one-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
@@ -13,6 +13,6 @@
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT
-net		all		DROP		$LOG
+net		all		DROP		info
 # The FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+all		all		REJECT		info
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -58,25 +58,25 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
-MACLIST_LOG_LEVEL="$LOG"
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL="$LOG"
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL="$LOG"
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL="$LOG"
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL="$LOG"
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -86,7 +86,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -119,11 +119,10 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+DROP_DEFAULT="Drop"
 DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Reject"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -152,12 +151,12 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -305,3 +304,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/three-interfaces/params
+++ b/Shorewall/Samples/three-interfaces/params
@@ -1,15 +0,0 @@
 #
 # Shorewall - Sample Params File for three-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
@@ -14,6 +14,6 @@
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 loc		net		ACCEPT
-net		all		DROP		$LOG
+net		all		DROP		info
 # THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+all		all		REJECT		info
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -11,7 +11,7 @@
 #
 # See the file README.txt for further details.
 #
-# For $LOGrmation about the settings in this file, type "man shorewall.conf"
+# For information about the settings in this file, type "man shorewall.conf"
 #
 # The manpage is also online at
 # http://shorewall.net/manpages/shorewall.conf.html
@@ -55,25 +55,25 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -83,7 +83,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -116,11 +116,10 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+DROP_DEFAULT="Drop"
 DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Reject"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -149,12 +148,12 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=Yes
 CLEAR_TC=Yes
@@ -302,3 +301,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Samples/two-interfaces/params
+++ b/Shorewall/Samples/two-interfaces/params
@@ -1,15 +0,0 @@
 #
 # Shorewall - Sample Params File for two-interface configuration.
 # Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-params"
 ######################################################################################################################################################################################################
 LOG=info # Change this to change the way in which packets are logged.
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
@@ -14,7 +14,7 @@
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 loc		net		ACCEPT
-net		all		DROP		$LOG
+net		all		DROP		info
 # THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		$LOG
+all		all		REJECT		info
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -58,25 +58,25 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -86,7 +86,7 @@ UNTRACKED_LOG_LEVEL=
 ARPTABLES=
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -119,11 +119,10 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
+DROP_DEFAULT="Drop"
 DROP_DEFAULT="dropBcast,dropInvalid:$LOG,dropNotSyn:$LOG"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
-REJECT_DEFAULT="dropBcast,dropInvalid:$LOG"
+REJECT_DEFAULT="Reject"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -152,12 +151,12 @@ AUTOHELPERS=Yes
 AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=No
 CLAMPMSS=Yes
 CLEAR_TC=Yes
@@ -305,3 +304,5 @@ PROVIDER_OFFSET=
 MASK_BITS=
 ZONE_BITS=0
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall/Actions/action.A_Drop
+++ b/Shorewall/Actions/action.A_Drop
@@ -12,7 +12,6 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ?require AUDIT_TARGET
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
--- a/Shorewall/Actions/action.A_REJECT
+++ b/Shorewall/Actions/action.A_REJECT
@@ -22,9 +22,8 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 ?require AUDIT_TARGET
 DEFAULTS -
--- a/Shorewall/Actions/action.A_REJECT!
+++ b/Shorewall/Actions/action.A_REJECT!
@@ -22,9 +22,8 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
 ?require AUDIT_TARGET
 DEFAULTS -
--- a/Shorewall/Actions/action.A_Reject.deprecated
+++ b/Shorewall/Actions/action.A_Reject.deprecated
--- a/Shorewall/Actions/action.AutoBL
+++ b/Shorewall/Actions/action.AutoBL
--- a/Shorewall/Actions/action.AutoBLL
+++ b/Shorewall/Actions/action.AutoBLL
--- a/Shorewall/Actions/action.Broadcast
+++ b/Shorewall/Actions/action.Broadcast
--- a/Shorewall/Actions/action.DNSAmp
+++ b/Shorewall/Actions/action.DNSAmp
--- a/Shorewall/Actions/action.Drop.deprecated
+++ b/Shorewall/Actions/action.Drop.deprecated
@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Drop
 #
-# The former default DROP common rules. Use of this action is now deprecated
+# The default DROP common rules
 #
 # This action is invoked before a DROP policy is enforced. The purpose
 # of the action is:
@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
@@ -28,7 +28,6 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 ?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
--- a/Shorewall/Actions/action.DropSmurfs
+++ b/Shorewall/Actions/action.DropSmurfs
--- a/Shorewall/Actions/action.Established
+++ b/Shorewall/Actions/action.Established
--- a/Shorewall/Actions/action.GlusterFS
+++ b/Shorewall/Actions/action.GlusterFS
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
--- a/Shorewall/Actions/action.Invalid
+++ b/Shorewall/Actions/action.Invalid
--- a/Shorewall/Actions/action.New
+++ b/Shorewall/Actions/action.New
--- a/Shorewall/Actions/action.NotSyn
+++ b/Shorewall/Actions/action.NotSyn
--- a/Shorewall/Actions/action.RST
+++ b/Shorewall/Actions/action.RST
--- a/Shorewall/Actions/action.Reject.deprecated
+++ b/Shorewall/Actions/action.Reject.deprecated
@@ -1,7 +1,7 @@
 #
 # Shorewall -- /usr/share/shorewall/action.Reject
 #
-# The former default REJECT action common rules. Use of this action is deprecated.
+# The default REJECT action common rules
 #
 # This action is invoked before a REJECT policy is enforced. The purpose
 # of the action is:
@@ -20,14 +20,13 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late DNS replies (UDP source port 53). Default
+# 5 - Action to take with late UDP replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 ?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
 ?if passed(@1)
    ?if @1 eq 'audit'
--- a/Shorewall/Actions/action.Related
+++ b/Shorewall/Actions/action.Related
--- a/Shorewall/Actions/action.ResetEvent
+++ b/Shorewall/Actions/action.ResetEvent
--- a/Shorewall/Actions/action.SetEvent
+++ b/Shorewall/Actions/action.SetEvent
--- a/Shorewall/Actions/action.TCPFlags
+++ b/Shorewall/Actions/action.TCPFlags
--- a/Shorewall/Actions/action.Untracked
+++ b/Shorewall/Actions/action.Untracked
--- a/Shorewall/Actions/action.allowInvalid
+++ b/Shorewall/Actions/action.allowInvalid
--- a/Shorewall/Actions/action.dropInvalid
+++ b/Shorewall/Actions/action.dropInvalid
--- a/Shorewall/Actions/action.mangletemplate
+++ b/Shorewall/Actions/action.mangletemplate
--- a/Shorewall/Actions/action.template
+++ b/Shorewall/Actions/action.template
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -9,6 +9,8 @@
 # Builtin Actions are:
 #
 ?if 0
 A_ACCEPT                        # Audits then accepts a connection request
 A_DROP                          # Audits then drops a connection request
 allowBcast		        # Silently Allow Broadcast/multicast
 dropBcast		        # Silently Drop Broadcast/multicast
 dropNotSyn		        # Silently Drop Non-syn TCP packets
@@ -26,12 +28,10 @@ A_Reject			# Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
 AutoBLL      noinline           # Helper for AutoBL
 BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
 DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline           # Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED  #
--- a/Shorewall/configfiles/mangle
+++ b/Shorewall/configfiles/mangle
@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
-##############################################################################################################################################################
+####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP	SWITCH
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
--- a/Shorewall/configfiles/params
+++ b/Shorewall/configfiles/params
@@ -22,4 +22,3 @@
 #	net	eth0		130.252.100.255	routefilter,norfc1918
 #
 ###############################################################################
 LOG=info # Default Log Level
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -2,7 +2,7 @@
 #
 #  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
 #
-#  For $LOGrmation about the settings in this file, type "man shorewall.conf"
+#  For information about the settings in this file, type "man shorewall.conf"
 #
 #  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
@@ -47,25 +47,25 @@ LOGALLNEW=
 LOGFILE=/var/log/messages
-LOGFORMAT="%s %s "
+LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT="s:1/sec:10"
+LOGLIMIT=
-MACLIST_LOG_LEVEL=$LOG
+MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
-RPFILTER_LOG_LEVEL=$LOG
+RPFILTER_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=$LOG
+SFILTER_LOG_LEVEL=info
-SMURF_LOG_LEVEL=$LOG
+SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
-TCP_FLAGS_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=info
 UNTRACKED_LOG_LEVEL=
@@ -108,11 +108,10 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT=dropBcasts,dropNotSyn:$LOG,dropInvalid:$LOG
+DROP_DEFAULT=Drop
 DROP_DEFAULT=dropBcasts,dropNotSyn:$LOG,dropInvalid:$LOG
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=dropBcasts,dropInvalid:$LOG
+REJECT_DEFAULT=Reject
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@@ -139,14 +138,14 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=Yes
+AUTOMAKE=No
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
 CHAIN_SCRIPTS=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
@@ -185,7 +184,7 @@ INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
-IP_FORWARDING=Keep
+IP_FORWARDING=On
 KEEP_RT_TABLES=No
@@ -211,7 +210,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=All
+OPTIMIZE=0
 OPTIMIZE_ACCOUNTING=No
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -89,7 +89,7 @@ wait_for_pppd () {
 # start the firewall
 shorewall_start () {
-  printf "Starting \"Shorewall firewall\": "
+  echo -n "Starting \"Shorewall firewall\": "
  wait_for_pppd
  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
@@ -98,10 +98,10 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  if [ "$SAFESTOP" = 1 ]; then
-      printf "Stopping \"Shorewall firewall\": "
+      echo -n "Stopping \"Shorewall firewall\": "
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
-      printf "Clearing all \"Shorewall firewall\" rules: "
+      echo -n "Clearing all \"Shorewall firewall\" rules: "
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
@@ -109,21 +109,21 @@ shorewall_stop () {
 # reload the firewall
 shorewall_reload () {
-  printf "Reloading \"Shorewall firewall\": "
+  echo -n "Reloading \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
 # restart the firewall
 shorewall_restart () {
-  printf "Restarting \"Shorewall firewall\": "
+  echo -n "Restarting \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
 # refresh the firewall
 shorewall_refresh () {
-  printf "Refreshing \"Shorewall firewall\": "
+  echo -n "Refreshing \"Shorewall firewall\": "
  $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -38,7 +38,7 @@ if [ -f ${SYSCONFDIR}/$prog ]; then
 fi
 start() {
-    printf $"Starting Shorewall: "
+    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -52,7 +52,7 @@ start() {
 }
 stop() {
-    printf $"Stopping Shorewall: "
+    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -66,7 +66,7 @@ stop() {
 }
 reload() {
-    printf $"Reloading Shorewall: "
+    echo -n $"Reloading Shorewall: "
    $shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
@@ -83,7 +83,7 @@ reload() {
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
-    printf $"Restarting Shorewall: "
+    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -103,7 +103,7 @@ require()
 cd "$(dirname $0)"
-if [ -f shorewall.service ]; then
+if [ -f shorewall ]; then
    PRODUCT=shorewall
    Product=Shorewall
 else
@@ -175,6 +175,7 @@ if [ $# -eq 0 ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
@@ -380,9 +381,9 @@ fi
 echo "Installing $Product Version $VERSION"
 #
-# Check for /usr/share/$PRODUCT/version
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -393,6 +394,10 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve
    exit 1
 fi
 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT}
 echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 # Install the Firewall Script
 #
@@ -1042,11 +1047,18 @@ fi
 cd ..
 #
 # Install the  Makefiles
 #
 run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
 if [ -z "$SPARSE" ]; then
    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
    echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 fi
 #
 # Install the Action files
 #
 cd Actions
 for f in action.* ; do
    case $f in
 	*.deprecated)
@@ -1059,10 +1071,8 @@ for f in action.* ; do
 	    ;;
    esac
 done
-#
+
-# Now the Macros
+cd Macros
 #
 cd ../Macros
 for f in macro.* ; do
    case $f in
@@ -1094,10 +1104,7 @@ if [ $PRODUCT = shorewall6 ]; then
    # Symbolically link 'functions' to lib.base
    #
    ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
-    #
+    [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
    # And create a sybolic link for the CLI
    #
    ln -sf shorewall ${DESTDIR}${SBINDIR}/shorewall6
 fi
 if [ -d Perl ]; then
@@ -1172,7 +1179,7 @@ if [ -n "$MANDIR" ]; then
 cd manpages
-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/
+[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
 for f in *.5; do
    gzip -9c $f > $f.gz
@@ -1180,8 +1187,6 @@ for f in *.5; do
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done
 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man8/
 for f in *.8; do
    gzip -9c $f > $f.gz
    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -48,10 +48,10 @@ get_config() {
    fi
    if [ "$(id -u)" -eq 0 ]; then
-	config=$(find_file ${PRODUCT}.conf)
+	config=$(find_file $g_program.conf)
    else
-	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
-	config="$g_shorewalldir/$PRODUCT.conf"
+	config="$g_shorewalldir/$g_program.conf"
    fi
    if [ -f $config ]; then
@@ -155,7 +155,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${PRODUCT}.conf"
+		    not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
 		    ;;
 		Yes|yes|YES)
 		    ;;
@@ -397,8 +397,8 @@ compiler() {
    pc=${LIBEXECDIR}/shorewall/compiler.pl
    if [ $(id -u) -ne 0 ]; then
-	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then
+	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then
-	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration"
+	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
 	fi
    fi
    #
@@ -443,7 +443,6 @@ compiler() {
    fi
    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
@@ -1230,7 +1229,7 @@ safe_commands() {
    if run_it ${VARDIR}/.$command $g_debugging $command; then
-	printf "Do you want to accept the new firewall configuration? [y/n] "
+	echo -n "Do you want to accept the new firewall configuration? [y/n] "
 	if read_yesno_with_timeout $timeout ; then
 	    echo "New configuration has been accepted"
@@ -1420,7 +1419,6 @@ remote_reload_command() # $* = original arguments less the command.
    sharedir=${SHAREDIR}
    local litedir
    local exitstatus
    local program
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1497,17 +1495,12 @@ remote_reload_command() # $* = original arguments less the command.
 	sbindir="$SBINDIR"
 	confdir="$CONFDIR"
 	libexec="$LIBEXECDIR"
 	litedir="${VARDIR}-lite"
 	. $sharedir/shorewall/shorewallrc
    else
-	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $g_basedir/shorewalrc" >&2
+	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $SHAREDIR/shorewall" >&2
 	sbindir="$SBINDIR"
 	confdir="$CONFDIR"
 	libexec="$LIBEXECDIR"
 	litedir="${VARDIR}-lite"
    fi
-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
+    if [ -f $g_shorewalldir/${g_program}.conf ]; then
 	if [ -f $g_shorewalldir/params ]; then
 	    . $g_shorewalldir/params
 	fi
@@ -1523,7 +1516,7 @@ remote_reload_command() # $* = original arguments less the command.
 	    [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
 	fi
    else
-	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
+	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
    fi
    if [ -z "$getcaps" ]; then
@@ -1548,14 +1541,12 @@ remote_reload_command() # $* = original arguments less the command.
    g_export=Yes
-    program=$sbindir/${PRODUCT}-lite
+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
    #
    # Handle nonstandard remote VARDIR
    #
    temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
    [ -n "$temp" ] && litedir="$temp"
    [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite
    g_file="$g_shorewalldir/firewall"
    exitstatus=0
@@ -1566,29 +1557,30 @@ remote_reload_command() # $* = original arguments less the command.
 	    save=$(find_file save);
 	    if [ -f $save ]; then
-		progress_message3 "Copying $save to ${system}:${confdir}/${PRODUCT}-lite/"
+		progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/"
-		rcp_command $save ${confdir}/$PRODUCT/
+		rcp_command $save ${confdir}/shorewall-lite/
 		exitstatus=$?
 	    fi
 	    if [ $exitstatus -eq 0 ]; then
 		progress_message3 "Copy complete"
 		if [ $COMMAND = remote-reload ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp reload"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then
 			progress_message3 "System $system reloaded"
 		    else
 			exitstatus=$?
 			savit=
 		    fi
 		elif [ $COMMAND = remote-restart ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp restart"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then
 			progress_message3 "System $system restarted"
 		    else
 			exitstatus=$?
 			saveit=
 		    fi
-		elif rsh_command "$program $g_debugging $verbose $timestamp start"; then
+		elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then
 		    progress_message3 "System $system started"
 		else
 		    exitstatus=$?
@@ -1596,7 +1588,7 @@ remote_reload_command() # $* = original arguments less the command.
 		fi
 		if [ -n "$saveit" ]; then
-		    if rsh_command "$program $g_debugging $verbose $timestamp save"; then
+		    if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then
 			progress_message3 "Configuration on system $system saved"
 		    else
 			exitstatus=$?
@@ -1661,7 +1653,7 @@ export_command() # $* = original arguments less the command.
 	    target=$2
 	    ;;
 	*)
-	    fatal_error "Invalid command syntax (\"man shorewall\" for help)"
+	    fatal_error "Invalid command syntax (\"man $g_program\" for help)"
 	    ;;
    esac
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -191,25 +191,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>section</option></term>
              <listitem>
                <para>Added in Shorewall 5.1.1. When specified, this option
                causes the rules file section name and a comma to be prepended
                to the parameters passed to the action (if any). Note that
                this means that the first parameter passed to the action by
                the user is actually the second parameter to the action. If
                the action is invoked out of the blrules file, 'BLACKLIST' is
                used as the section name.</para>
                <para>Given that neither the <filename>snat</filename> nor the
                <filename>mangle</filename> file is sectioned, this parameter
                has no effect when <option>mangle</option> or
                <option>nat</option> is specified. </para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
@@ -224,9 +205,9 @@
              <listitem>
                <para>Added in Shorewall 4.6.4. When used with
-                <option>builtin</option>, indicates that the built-in action
+                <replaceable>builtin</replaceable>, indicates that the
-                is termiating (i.e., if the action is jumped to, the next rule
+                built-in action is termiating (i.e., if the action is jumped
-                in the chain is not evaluated).</para>
+                to, the next rule in the chain is not evaluated).</para>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -380,7 +380,7 @@
      </varlistentry>
      <varlistentry>
-        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
+        <term>SOURCE (format 3) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
@@ -394,91 +394,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
+        <term>DEST ‒
        later) -
        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
        <listitem>
          <para>where <replaceable>source-spec</replaceable> is one of the
          following:</para>
          <variablelist>
            <varlistentry>
              <term><replaceable>interface</replaceable></term>
              <listitem>
                <para>Where interface is the logical name of an interface
                defined in <ulink
                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> may be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address.</para>
                  </listitem>
                  <listitem>
                    <para>A MAC address in Shorewall format (preceded by a
                    tilde ("~") and using dash ("-") as a separator.</para>
                  </listitem>
                  <listitem>
                    <para>The name of an ipset preceded by a plus sign ("+").
                    See <ulink
                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
                <para><replaceable>exclusion</replaceable> is described in
                <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the incoming interace and source address match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>exclusion</replaceable></term>
              <listitem>
                <para>See <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
                (5)</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>source-spec</replaceable>s separated by commas may be
          specified provided that the following alternative forms are
          used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DEST (Prior to Shorewall 5.1.0) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
        <listitem>
@@ -490,89 +406,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
        <listitem>
          <para>where <replaceable>dest-spec</replaceable> is one of the
          following:</para>
          <variablelist>
            <varlistentry>
              <term><replaceable>interface</replaceable></term>
              <listitem>
                <para>Where interface is the logical name of an interface
                defined in <ulink
                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> may be:</para>
                <itemizedlist>
                  <listitem>
                    <para>A host or network IP address.</para>
                  </listitem>
                  <listitem>
                    <para>A MAC address in Shorewall format (preceded by a
                    tilde ("~") and using dash ("-") as a separator.</para>
                  </listitem>
                  <listitem>
                    <para>The name of an ipset preceded by a plus sign ("+").
                    See <ulink
                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
                <para><replaceable>exclusion</replaceable> is described in
                <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>This form combines the preceding two and requires that
                both the outgoing interace and destination address
                match.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>exclusion</replaceable></term>
              <listitem>
                <para>See <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
                (5)</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple source-specs
          separated by commas may be specified provided that the following
          alternative forms are used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -303,12 +303,6 @@ loc     eth2            -</programlisting>
                <para>Designates the interface as a bridge. Beginning with
                Shorewall 4.4.7, setting this option also sets
                <option>routeback</option>.</para>
                <note>
                  <para>If you have a bridge that you don't intend to define
                  bport zones on, then it is best to omit this option and
                  simply specify <option>routeback</option>.</para>
                </note>
              </listitem>
            </varlistentry>
@@ -768,13 +762,6 @@ loc     eth2            -</programlisting>
                    </listitem>
                  </itemizedlist>
                </note>
                <para>Beginning with Shorewall 5.1.1, when
                <option>routefilter</option> is set to a non-zero value, the
                <option>logmartians</option> option is also implicitly set. If
                you actually want route filtering without logging, then you
                must also specify <option>logmartians=0</option> after
                <option>routefilter</option>.</para>
              </listitem>
            </varlistentry>
@@ -787,7 +774,7 @@ loc     eth2            -</programlisting>
                iptables and kernel. It provides a more efficient alternative
                to the <option>sfilter</option> option below. It performs a
                function similar to <option>routefilter</option> (see above)
-                but works with Multi-ISP configurations that do not use
+                but works with Multi-ISP configurations that do now use
                balanced routes.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -775,253 +775,98 @@ Normal-Service       =&gt; 0x00</programlisting>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">SOURCE -
+        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
-        {-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
        role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
-          <para>where <replaceable>source-spec</replaceable> is one of:</para>
+          <para>May be:</para>
-          <variablelist>
+          <orderedlist>
-            <varlistentry>
+            <listitem>
-              <term><replaceable>interface</replaceable></term>
+              <para>An interface name - matches traffic entering the firewall
              on the specified interface. May not be used in classify rules or
              in rules using the :T chain qualifier.</para>
            </listitem>
            <listitem>
-                <para>where <replaceable>interface</replaceable> is the
+              <para>A comma-separated list of host or network IP addresses or
-                logical name of an interface defined in <ulink
+              MAC addresses. <emphasis role="bold">This form will not match
-                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+              traffic that originates on the firewall itself unless either
-                Matches packets entering the firewall from the named
+              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
-                interface. May not be used in CLASSIFY rules or in rules using
+              the ACTION column.</emphasis></para>
              <para>Examples:<simplelist>
                  <member>0.0.0.0/0</member>
                </simplelist></para>
              <para><simplelist>
                  <member>192.168.1.0/24, 172.20.4.0/24</member>
                </simplelist></para>
            </listitem>
            <listitem>
              <para>An interface name followed by a colon (":") followed by a
              comma-separated list of host or network IP addresses or MAC
              addresses. May not be used in classify rules or in rules using
              the :T chain qualifier.</para>
            </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
            <listitem>
-                <para>where <replaceable>address</replaceable> is:</para>
+              <para>$FW optionally followed by a colon (":") and a
-
+              comma-separated list of host or network IP addresses. Matches
-                <blockquote>
+              packets originating on the firewall. May not be used with a
-                  <para>A host or network IP address.</para>
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
                  <para>The name of an ipset preceded by a plus sign
                  ("+").</para>
                  <para>A MAC address in Shorewall format (preceded by a tilde
                  ("~") and using dash ("-") as a separator (e.g.,
                  ~00-A0-C9-15-39-78).</para>
                </blockquote>
                <para>Matches traffic whose source IP address matches one of
                the listed addresses and that does not match an address listed
                in the <replaceable>exclusion</replaceable> (see <ulink
                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
                <para><emphasis role="bold">This form will not match traffic
                that originates on the firewall itself unless either
                &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used
                in the ACTION column.</emphasis></para>
            </listitem>
-            </varlistentry>
+          </orderedlist>
-            <varlistentry>
+          <para>MAC addresses must be prefixed with "~" and use "-" as a
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
+          separator.</para>
-              <listitem>
+          <para>Example: ~00-A0-C9-15-39-78</para>
                <para>This form combines the preceding two forms and matches
                when both the incoming interface and source IP address
                match.</para>
              </listitem>
            </varlistentry>
-            <varlistentry>
+          <para>You may exclude certain hosts from the set already defined
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
              <listitem>
                <para>This form matches packets arriving through the named
                <replaceable>interface</replaceable> and whose source IP
                address does not match any of the addresses in the
                <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW</term>
              <listitem>
                <para>Matches packets originating on the firewall system. May
                not be used with a chain qualifier (:P, :F, etc.) in the
                ACTION column.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> is as above
                (MAC addresses are not permitted). Matches packets originating
                on the firewall and whose source IP address matches one of the
                listed addresses and does not match any address listed in the
                <replaceable>exclusion</replaceable>. May not be used with a
                chain qualifier (:P, :F, etc.) in the ACTION column. </para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>Matches traffic originating on the firewall, provided
                that the source IP address does not match any address listed
                in the <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>source_spec</replaceable>s, separated by commas, may be
          given provided that the following alternative forms are used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST -
        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
        <listitem>
          <para>where <replaceable>dest-spec</replaceable> is one of:</para>
          <variablelist>
            <varlistentry>
              <term><replaceable>interface</replaceable></term>
              <listitem>
                <para>where <replaceable>interface</replaceable> is the
                logical name of an interface defined in <ulink
                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
                Matches packets leaving the firewall through the named
                interface. May not be used in the PREROUTING chain (:P in the
                mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
                in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
              <listitem>
                <para>where <replaceable>address</replaceable> is:</para>
                <blockquote>
                  <para>A host or network IP address.</para>
                  <para>The name of an ipset preceded by a plus sign
                  ("+").</para>
                  <para>A MAC address in Shorewall format (preceded by a tilde
                  ("~") and using dash ("-") as a separator (e.g.,
                  ~00-A0-C9-15-39-78).</para>
                </blockquote>
                <para>Matches traffic whose destination IP address matches one
                of the listed addresses and that does not match an address
                listed in the <replaceable>exclusion</replaceable> (see <ulink
          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
+        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
-                <para>This form combines the preceding two forms and matches
+          <para>May be:</para>
                when both the outgoing interface and destination IP address
                match. May not be used in the PREROUTING chain (:P in the mark
                column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
                <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
-            <varlistentry>
+          <orderedlist>
-              <term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+            <listitem>
              <para>An interface name. May not be used in the PREROUTING chain
              (:P in the mark column or no chain qualifier and
              MARK_IN_FORWARD_CHAIN=No in <ulink
              url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
              interface name may be optionally followed by a colon (":") and
              an IP address list.</para>
            </listitem>
            <listitem>
-                <para>This form matches packets leaving through the named
+              <para>A comma-separated list of host or network IP addresses.
-                <replaceable>interface</replaceable> and whose destination IP
+              The list may include ip address ranges if your kernel and
-                address does not match any of the addresses in the
+              iptables include iprange support.</para>
                <replaceable>exclusion</replaceable>. May not be used in the
                PREROUTING chain (:P in the mark column or no chain qualifier
                and MARK_IN_FORWARD_CHAIN=No in <ulink
                url="manpages/shorewall.conf">shorewall.conf</ulink>
                (5)).</para>
            </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW</term>
            <listitem>
-                <para>Matches packets originating on the firewall system. May
+              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
-                not be used with a chain qualifier (:P, :F, etc.) in the
+              itself or qualified by an address list. This causes marking to
-                ACTION column.</para>
+              occur in the INPUT chain.</para>
            </listitem>
-            </varlistentry>
+          </orderedlist>
-            <varlistentry>
+          <para>You may exclude certain hosts from the set already defined
-              <term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
-
+          url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
              <listitem>
                <para>where <replaceable>address</replaceable> is as above
                (MAC addresses are not permitted). Matches packets destined
                for the firewall and whose destination IP address matches one
                of the listed addresses and does not match any address listed
                in the <replaceable>exclusion</replaceable>. May not be used
                with a chain qualifier (:P, :F, etc.) in the ACTION
                column.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>$FW:<replaceable>exclusion</replaceable></term>
              <listitem>
                <para>Matches traffic destined for the firewall, provided that
                the destination IP address does not match any address listed
                in the <replaceable>exclusion</replaceable>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>Beginning with Shorewall 5.1.0, multiple
          <replaceable>dest_spec</replaceable>s, separated by commas, may be
          given provided that the following alternative forms are used:</para>
          <blockquote>
            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
            <para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
            <para>$FW:(<replaceable>exclusion</replaceable>)</para>
          </blockquote>
        </listitem>
      </varlistentry>
@@ -1487,53 +1332,6 @@ Normal-Service       =&gt; 0x00</programlisting>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
        <listitem>
          <para>Added in Shorewall 5.1.0 and allows enabling and disabling the
          rule without requiring <command>shorewall restart</command>.</para>
          <para>The rule is enabled if the value stored in
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
          if the file contains 0.</para>
          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
          '@{0}' are replaced by the name of the chain to which the rule is a
          added. The <replaceable>switch-name</replaceable> (after '@...'
          expansion) must begin with a letter and be composed of letters,
          decimal digits, underscores or hyphens. Switch names must be 30
          characters or less in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
          <simplelist>
            <member><command>echo 1 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
          <simplelist>
            <member><command>echo 0 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
          <para>When the <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
          <command>start</command> command. Other commands do not affect the
          switch setting.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@@ -41,18 +41,38 @@
      <varlistentry>
        <term><emphasis role="bold">TYPE</emphasis> - <emphasis
        role="bold">{DNAT</emphasis>|<emphasis
-        role="bold">SNAT}</emphasis></term>
+        role="bold">SNAT}[:{P|O|T}</emphasis>]</term>
        <listitem>
-          <para>Must be DNAT or SNAT</para>
+          <para>Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be
          optionally followed by :P, :O or :T to perform <firstterm>stateless
          NAT</firstterm>. Stateless NAT requires <firstterm>Rawpost Table
          support</firstterm> in your kernel and iptables (see the output of
          <command>shorewall show capabilities</command>).</para>
-          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
+          <para>If DNAT or DNAT:P, traffic entering INTERFACE and addressed to
-          its destination address rewritten to the corresponding address in
+          NET1 has its destination address rewritten to the corresponding
-          NET2.</para>
+          address in NET2.</para>
-          <para>If SNAT, traffic leaving INTERFACE with a source address in
+          <para>If SNAT or SNAT:T, traffic leaving INTERFACE with a source
-          NET1 has it's source address rewritten to the corresponding address
+          address in NET1 has it's source address rewritten to the
-          in NET2.</para>
+          corresponding address in NET2.</para>
          <para>If DNAT:O, traffic originating on the firewall and leaving via
          INTERFACE and addressed to NET1 has its destination address
          rewritten to the corresponding address in NET2.</para>
          <para>If DNAT:P, traffic entering via INTERFACE and addressed to
          NET1 has its destination address rewritten to the corresponding
          address in NET2.</para>
          <para>If SNAT:P, traffic entering via INTERFACE with a destination
          address in NET1 has it's source address rewritten to the
          corresponding address in NET2.</para>
          <para>If SNAT:O, traffic originating on the firewall and leaving via
          INTERFACE with a source address in NET1 has it's source address
          rewritten to the corresponding address in NET2.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -115,12 +115,11 @@
        role="bold">ACCEPT</emphasis>|<emphasis
        role="bold">DROP</emphasis>|<emphasis
        role="bold">REJECT</emphasis>|<emphasis
        role="bold">BLACKLIST</emphasis>|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
        role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
+        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
        role="bold">None</emphasis>}]</term>
        <listitem>
@@ -138,9 +137,8 @@
            </listitem>
            <listitem>
-              <para>The name of an action with optional parameters enclosed in
+              <para>The name of an action. The action will be invoked before
-              parentheses. The action will be invoked before the policy is
+              the policy is enforced.</para>
              enforced.</para>
            </listitem>
          </orderedlist>
@@ -151,16 +149,7 @@
          applied to each rule in the action or body that does not already
          have a log level.</para>
-          <para>Beginning with Shorewall 5.1.2, multiple
+          <para>Possible actions are:</para>
          <replaceable>action</replaceable>[:<replaceable>level</replaceable>]
          specification may be listeded, separated by commas. The actions are
          invoked in the order listed. Also beginning with Shorewall 5.1.2,
          the policy-action list can be prefixed with a plus sign ("+")
          indicating that the listed actions are in addition to those listed
          in the related _DEFAULT setting in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>Possible policies are:</para>
          <variablelist>
            <varlistentry>
@@ -188,19 +177,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">BLACKLIST</emphasis></term>
              <listitem>
                <para>Added in Shorewall 5.1.1 and requires that the
                DYNAMIC_BLACKLIST setting in <ulink
                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                specifies ipset-based dynamic blacklisting. The SOURCE IP
                address is added to the blacklist ipset and the connection
                request is ignored.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -208,16 +208,6 @@
                <option>balance=</option><replaceable>weight</replaceable>
                where <replaceable>weight</replaceable> is the weight of the
                route out of this interface.</para>
                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
                <option>balance=1</option> is assumed unless the
                <option>fallback</option>, <option>loose</option>,
                <option>load</option> or <option>tproxy</option> option is
                specified. Beginning with Shorewall 5.1.1, when
                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
                unless the <option>fallback</option>, <option>loose</option>,
                <option>load</option> or <option>tproxy</option> option is
                specified.</para>
              </listitem>
            </varlistentry>
--- a/Shorewall/manpages/shorewall-rtrules.xml
+++ b/Shorewall/manpages/shorewall-rtrules.xml
@@ -129,17 +129,6 @@
          <para>Beginning with Shorewall 5.0.2, the priority may be followed
          optionally by an exclaimation mark ("!"). This causes the rule to
          remain in place if the interface is disabled.</para>
          <caution>
            <para>Be careful when using rules of the same PRIORITY as some
            unexpected behavior can occur when multiple rules have the same
            SOURCE. For example, in the following rules, the second rule
            overwrites the first unless the priority in the second is changed
            to 19001 or higher:</para>
            <programlisting>10.10.0.0/24    192.168.5.6 provider1 19000
 10.10.0.0/24    -           provider2 19000</programlisting>
          </caution>
        </listitem>
      </varlistentry>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	395ea90cd7	Clear the firewall on Debian during systemd stop Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 13:01:24 -07:00
Tom Eastep	ce861dd0a3	Correctly handle expansion of option names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 11:47:54 -07:00
Tom Eastep	8fca17a0ef	Correct all+ handling in the policy file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-03-15 11:36:47 -07:00
Tom Eastep	63d7580219	Allow compact IPv6 addresses in IP6TABLES() rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-07 16:20:38 -08:00
Tom Eastep	1d1068ac74	Correct splitting of IP(6)TABLES options Signed-off-by: Tom Eastep <teastep@shorewall.net>	2017-01-07 16:20:26 -08:00
Tom Eastep	5bc724c268	Correct handling of safe-restart with SAVE_IPSETS Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-27 16:35:58 -08:00
Tom Eastep	c6fab61c3d	Remove redundent test Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 14:42:20 -08:00
Tom Eastep	03a9b92a14	Use 'ip -s xfrm' to dump the SPD and SAD Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:30:49 -08:00
Matt Darfeuille	b3b637d663	shorewall: Correct displaying of shorewall version Add the Product name variable to properly display the product name when the '-v' option is passed to the script. Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:30:16 -08:00
Tom Eastep	363679bb4c	Correct merge compatibility change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:29:50 -08:00
Tom Eastep	458c26c2d6	Exercise care when merging rules including -m multiport Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-20 09:29:36 -08:00
Tom Eastep	e229849c5b	Correct intra-zone handling in policies Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-12-19 09:12:14 -08:00